Loading

PN1058 | EtherNet/IP Web Server Module SNMP Service Denial of Service

Severity:
Medium
Advisory ID:
PN1058
Date de publication:
February 06, 2019
Date de la dernière mise à jour:
February 06, 2019
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2018-19016
Résumé
EtherNet/IP Web Server Module SNMP Service Denial of Service

Introduction

EtherNet/IP Web Server Module SNMP Service Denial of Service

Description

Version 1.1 - Feb 06, 2019
Version 1.0 - Feb 04, 2019

Rockwell Automation received a report from researchers at Tenable regarding a potential vulnerability which affects EtherNet/IP™ Web Server modules that, if successfully exploited, can allow a threat actor to deny communication with the Simple Network Management Protocol (SNMP) service until the device can be restarted.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply them appropriately to deployed products.

AFFECTED PRODUCTS

EtherNet/IP Web Server Modules

  • 1756-EWEB (includes 1756-EWEBK), v5.001 and earlier

CompactLogix™ Controller EtherNet/IP Web Server Module

  • 1768-EWEB, v2.005 and earlier

VULNERABILITY DETAILS

An unauthenticated, remote threat actor could potentially send a crafted UDP packet to the affected product’s SNMP service. Improper handling of this crafted packet could result in a denial of service for SNMP; port 161 stops receiving messages until the device is power-cycled. The web UI may show that the service is running even if it is not available. The control functionality of the device is unaffected.

CVE-2018-19016 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed and, if necessary, contact their local distributor or Sales Office.

Product Family Catalog Numbers Suggested Actions
EtherNet/IP Web Server Module 1756-EWEB
Series A, All Versions
Series B, All Versions
  • Disable the SNMP service if not in use. See pg 28 of the EtherNet/IP Web Server Module User Manual.
  • No direct mitigation provided.
See NOTE: below for additional recommended actions
CompactLogix EtherNet/IP Web Server Module 1768-EWEB, All Versions
  • Disable the SNMP service if not in use. See pg 28 of the EtherNet/IP Web Server Module User Manual.
  • No direct mitigation provided.
See NOTE: below for additional recommended actions

NOTE: Customers are urged to evaluate their level of risk and, if necessary, contact their local distributor or Sales Office.

GENERAL SECURITY GUIDELINES

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP messages from unauthorized sources are blocked.
  2. Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the manufacturing zone by blocking or restricting access to UDP port 161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  3. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  5. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

  • 54102 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • [ICS-CERT/NCCIC] ICSA-19-036-02 Rockwell Automation EtherNet/IP Web Server Modules
  • [Tenable] Rockwell Automation EWEB SNMP Denial of Service

REVISION HISTORY

Date Version Details
06-Feb-2019 1.1 ICS-CERT and Tenable Advisory links added
04-Feb-2019 1.0 Initial Release
Attachments
File
KB 1084268_v1.1.pdf

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Accueil Rockwell Automation
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre {0} politique de confidentialité
CloseClose