Introduction
Description
January 3, 2013 - version 1.0
Update to January 31, 2012
On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen‑Bradley 1756-ENBT communication module. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.
<Update A>
Rockwell Automation has released firmware to address two of the product vulnerabilities affecting specific controller, communication modules and adapters.
<Update A>
VULNERABILITY DETAILS
A Denial of Service (DOS) condition may result when an affected product receives valid CIP message that changes the product’s configuration and network parameters. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system.
<Update B>
Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.
CVE-2012-6441
An Information Disclosure of product-specific information unintended for normal use results when the affected product receives a specially crafted CIP packet.
<Update B>
A Denial of Service (DOS) condition results when affected product receives a valid CIP message that instructs the product to reset. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a temporary disruption of communication to other products in controller platform or system.
<Update C>
Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.
<Update C>
CVE-2012-6438
A Denial of Service (DOS) condition and a product recoverable fault results when affected product receives a malformed CIP packet. Receipt of such a message from an unauthorized source has will cause a disruption of communication to other products in controller platform or system. Recovery from a successful exploitation of this vulnerability requires the product to be reset via power cycle to the chassis or removal-reinsertion of module.
The potential exists for the affected product to accept an altered or corrupted firmware image during its upgrade process that may render the product inoperable or change its otherwise normal operation. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the product for other malicious activities.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:
- All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.
<Update D>
CVE-2012-6441
- 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules
Note: Further evaluation has reduced the list of products affected by this vulnerability.
<Update D>
- All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.
CVE-2012-6438
- 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules
- CompactLogix L32E and L35E controllers
- 1788-ENBT FLEXLogix adapter
- 1794-AENTR FLEX I/O EtherNet/IP adapter
<Update E>
Note: Evaluations continue to determine additional products that may be affected.
<Update E>
- Products that do not support Rockwell Automation digital signature-based firmware validation
RISK MITIGATION
To help reduce the likelihood of compromise and the associated security risks, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:
<Update F>
CVE-2012-6439 and CVE-2012-6442 Mitigations
1. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
2. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the specific vulnerabilities:
CIP Ethernet configuration service
Messages sent to CIP Class code: 0xc0 with Service code: 0x97 service
CIP reset service
NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.
Vulnerabilities CVE-2012-6441 and CVE-2012-6438: Mitigations
Communication Modules and Adapters
Catalog Number
Description
Affected Products
New Firmware
1756-ENBT
EtherNet/IP modules for ControlLogix platform
All firmware revisions prior to 6.005
6.005
1756-EWEB
Ethernet Webserver module for ControlLogix platform
All firmware revisions prior to 4.016
Note: Updated 2 Jan 20134.016
Note: Updated 2 Jan 20131768-ENBT
EtherNet/IP modules for CompactLogix platform
All firmware revisions prior to 4.004
Note: Updated 2 Jan 20134.004
Note: Updated 2 Jan 20131768-EWEB
Ethernet Webserver module for CompactLogix platform
All firmware revisions prior to 2.005
2.005
Note: Updated 3 Jan 20131788-ENBT
FLEXLogix EtherNet/IP adapter
Evaluations continue
Evaluations continue
Controllers
Catalog Number
Description
Affected Products
New Firmware
CompactLogix L32E
CompactLogix Controller
All firmware revisions prior to 20.012
20.012
CompactLogix L35E
CompactLogix Controller
All firmware revisions prior to 20.012
20.012
Distributed I/O
1794-AENTR
FLEX I/O EtherNet/IP adapter
Evaluations continue
Evaluations continue
Find Downloads at:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx
CVE-2012-6437: Mitigations
At this time, Rockwell Automation continues to evaluate the technical feasibility of enhancing the 1756-ENBT to include a digital signature validation mechanism on firmware.
In lieu of this capability, concerned customers are recommended to employ good security design practices in their network architecture and also consider using the more contemporary 1756-EN2T EtherNet/IP communication modules for the ControlLogix platform.
The capability for the 1756-EN2T to validate digital signatures has been introduced in the below product release:
Catalog Number |
Description |
New Firmware |
1756-EN2T |
EtherNet/IP modules for ControlLogix platform that support digital signature validation on firmware |
5.028 |
Find Downloads at:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx
Other Rockwell Automation products:
1. Obtain product firmware only from trusted manufacturer sources.
2. Use only Rockwell Automation issued tools to perform product firmware upgrades.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
4. Refer to AID:433319 and AID:43320 for similar, previously released advisories that include recommended similar mitigation strategies.
NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.
<Update F>
In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
6. Make sure that software and control system device firmware is patched to current releases.
7. Periodically change passwords in control system components and infrastructure devices.
8. Where applicable, set the controller key-switch/mode-switch to RUN mode
9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
.
KCS Status
