SD1706 | Security Advisory | Rockwell Automation

Severity:

High

Advisory ID:

SD1706

Date de publication:

October 07, 2024

Date de la dernière mise à jour:

October 10, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Non

Corrected:

Oui

Workaround:

Non

CVE IDs

CVE-2024-8626

Téléchargements

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

Résumé

Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date: October 8, 2024

Last updated: October 10, 2024

Revision Number: 2.0

CVSS Score: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
CompactLogix 5380 controllers	v33.011<	v33.015 and later for versions 33 v34.011 and later
Compact GuardLogix® 5380 controllers	v33.011<
CompactLogix 5480 controllers	v33.011<
ControlLogix 5580 controllers	v33.011<
GuardLogix 5580 controllers	v33.011<
1756-EN4TR	v3.002	4.001 and later

Mitigations and Workarounds

Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Security Best Practices

VULNERABILITY DETAILS

CVE-2024-8626 IMPACT

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.5/10 (high)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10 (high)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 400 – Uncontrolled Resource Consumption

ADDITIONAL RESOURCES

JSON CVE-2024-8626