Loading

PN950 | Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Severity:
Critical
Advisory ID:
PN950
Published Date:
May 13, 2019
Last Updated:
May 13, 2019
Revision Number:
1.5
Known Exploited Vulnerability (KEV):
Não
Corrected:
Não
Workaround:
Não
CVE IDs
CVE-2016-9343
Summary
Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Introduction

Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Description

Version 1.5 - May 13, 2019

A vulnerability exists in the Logix5000™ Programmable Automation Controller product line that, if successfully exploited, can either cause a Denial of Service ("DoS") or potentially allow an attacker to alter the operating state of the controller through a buffer overflow. Logix5000 is a product line of Programmable Automation Controllers used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; as well as automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting evaluations to help achieve completeness in its risk assessment and mitigation processes.

As of this announcement and to the knowledge of Rockwell Automation, there is no publicly available exploit code relating to this vulnerability.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply those mitigations that they deem applicable to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

UPDATE: Aug 21, 2018
New remediated firmware versions for the PowerFlex 700S drives with Phase II control with the embedded DriveLogix 5730 controller option installed have been released. See below for details.

AFFECTED PRODUCTS

UPDATE: Feb 13, 2017
Further internal investigation discovered that the DriveLogix™ platform is also affected by this vulnerability. DriveLogix is an embedded, high-performance Logix engine as a part of a PowerFlex® 700S drive solution, specifically for the PowerFlex 700S Drives with Phase II Control. Affected versions of DriveLogix, as well as mitigations to deploy for affected customers, are provided as below.

The affected firmware versions are listed, followed by a list of the products that utilize the affected firmware.

Note: Firmware versions (for all products) prior to Firmware Revision Number ("FRN ") 16.00 are not affected by this vulnerability.

  • FRN 16.00
    • 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (V16.020 through V16.022)
    • ControlLogix® 5560 controllers (V16.020 thru V16.022)
    • ControlLogix L55 controllers (V16.020 thru V16.022)
    • ControlLogix 5560 Redundant controllers (All Versions)
    • GuardLogix® 5560 controllers (All Versions)
    • FlexLogix™ L34 controllers (All Versions)
    • 1769 CompactLogix™ L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (V16.020 thru V16.023)
    • 1768 CompactLogix L4x controllers (V16.020 thru V16.025)
  • FRN 17.00
    • 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (v17.003 and v17.004)
    • SoftLogix™ 5800 controllers (All Versions)
    • ControlLogix 5560 controllers (All Versions)
    • GuardLogix 5560 controllers (All Versions)
    • 1769 CompactLogix L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (All Versions)
    • 1768 CompactLogix L4x controllers (All Versions)
  • FRN 18.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix™ Emulate 5000 (All Versions)
    • ControlLogix 5560 controllers (All Versions)
    • ControlLogix 5570 controllers (All Versions)
    • GuardLogix 5560 controllers (All Versions)
    • 1769 CompactLogix L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (All Versions)
    • 1768 CompactLogix L4x controllers (All Versions)
    • 1768 Compact GuardLogix L4xS (All Versions)
  • FRN 19.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix Emulate 5000 (All Versions)
    • ControlLogix 5560 controllers (All Versions)
    • ControlLogix 5570 controllers (All Versions)
    • ControlLogix 5560 Redundant controllers (All Versions)
    • GuardLogix 5560 controllers (All Versions)
    • 1769 CompactLogix L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (All Versions)
    • 1768 CompactLogix L4x controllers (All Versions)
    • 1768 Compact GuardLogix® L4xS controllers (All Versions)
  • FRN 20.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix Emulate 5000 (All Versions)
    • ControlLogix 5560 controllers (V20.010 thru V20.013)
    • ControlLogix 5570 controllers (V20.010 thru V20.013)
    • ControlLogix 5560 Redundant controllers (V20.050 thru V20.055)
    • ControlLogix 5570 Redundant controllers (V20.050 thru V20.055)
    • GuardLogix 5560 controllers (V20.010 thru V20.017)
    • GuardLogix 5570 controllers (V20.010 thru V20.017)
    • 1769 CompactLogix L23x controllers (V20.010 thru V20.013)
    • 1769 CompactLogix L3x controllers (V20.010 thru V20.013)
    • 1769 CompactLogix 5370 L1 controllers (V20.010 thru V20.013)
    • 1769 CompactLogix 5370 L2 controllers (V20.010 thru V20.013)
    • 1769 CompactLogix 5370 L3 controllers (V20.010 thru V20.013)
    • 1768 CompactLogix L4x controllers (V20.011 thru V20.016)
    • 1768 Compact GuardLogix L4xS controllers (V20.011 thru V20.013)
  • FRN 21.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix Emulate 5000 (All Versions)
    • ControlLogix 5570 controllers (All Versions)
    • ControlLogix 5570 Redundant controllers (All Versions)
    • GuardLogix 5570 controllers (All Versions)
    • 1769 CompactLogix 5370 L1 controllers (All Versions)
    • 1769 CompactLogix 5370 L2 controllers (All Versions)
    • 1769 CompactLogix 5370 L3 controllers (All Versions)

The products above are affected in the corresponding versions of firmware. Check the Updates/Risk Mitigations section below to verify that all functional versions of firmware include the latest security updates for this vulnerability in the event one of the aforementioned products is being used with a version of firmware that is not listed herein.

VULNERABILITY DETAILS

This vulnerability may allow an attacker to intentionally send a specific malformed Common Industrial Protocol ("CIP") packet to the product and cause a Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service ("DoS") condition. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the attacker to alter the operating state of the controller. This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

CVE-2016-9343 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/.

RISK MITIGATIONS

Customers using affected controllers are encouraged to upgrade to an available firmware version that addresses the associated risk.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below, are similarly recommended. Employ multiple strategies when possible.

  1. Update supported products based on this table:

Type of Controller

Product Family

Catalog Numbers

Remediated Versions

Embedded Controller Option with PowerFlex 700S

DriveLogix 5730

Catalog numbers beginning with 20D with a "K" or "L" in the 17th position

For more information about these catalog numbers, see page 10 of the PowerFlex 700S Drives with Phase II Control Technical Data document

V16.23

V17.05

Soft Controller

SoftLogix 5800

1789-Lx

V23: FRN 23.00 or later

Software (used by ControlLogix)

RSLogix Emulate 5000

9310-Wx

V23: FRN 23.00 or later

Standard Controllers

ControlLogix L55

1756-L55x

V16: FRN 16.023 or later

Standard Controllers

ControlLogix 5560

1756-L6

V16: FRN 16.023 or later

V20: FRN 20.014 or later

Standard Controllers

ControlLogix 5570

1756-L7

V20: FRN 20.014 or later

V23: FRN 23.012 or later

V24 or later

Standard Controllers (Redundant)

ControlLogix 5560

1756-L6

V20: FRN 20.056 or later

Standard Controllers (Redundant)

ControlLogix 5570

1756-L7

V20: FRN 20.056 or later

V24: FRN 24.052 or later

Small Controllers

CompactLogix L23x

CompactLogix L3x

1769-L23, 1769-L31, 1769-L32, 1769-L35

V20: FRN 20.014 or later

Small Controllers

CompactLogix 5370 L1 CompactLogix 5370 L2

CompactLogix 5370 L3

1769-L1, 1769-L2, 1769-L3

V20: FRN 20.014 or later

V23: FRN 23.012 or later

V24 or later

Small Controllers

CompactLogix L4x

1768-L4x

V16: FRN 16.026 (Series A, B, C)

FRN 16.027 or later (Series D)

V20: FRN 20.014 or later (Series A, B, C)

FRN 20.016 or later (Series D)

Safety Controllers

GuardLogix L4xS

1768-L4xS

V20: FRN 20.018 or later

Safety Controllers

GuardLogix 5560

1756-L6S

V20: FRN 20.018 or later

Safety Controllers

GuardLogix 5570

1756-L7S

V20: FRN 20.018 or later

V23: FRN 23.012 or later

V24 or later

Note: Customers using affected versions of FlexLogix, which is a discontinued product, are urged to contact their local distributor or Sales Office in order to upgrade to newer product lines that contain the relevant mitigations.

  1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances.
  2. When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program mode in order to prevent other disruptive changes to your system.
  3. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
  4. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

  • Security Advisory Index, Knowledgebase Article ID 54102.
  • ICS-CERT Advisory: Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability.

REVISION HISTORY

Date

Version

Details

05-DEC-2016

1.0

Initial release.

16-DEC-2016

1.1

Added details to indicate this is a CIP based packet and added mitigations for CIP networks.

04-JAN-2017

1.2

Clarified CompactLogix L4x and GuardLogix L4xS V20 affected versions, and added remediated GuardLogix L4xS version.

13-FEB-2017

1.3

Added details for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed.

21-AUG-2018

1.4

Added remediated versions of Firmware for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed.

13-MAY-2019

1.5

Fixed broken links and added RA contact information.

Attachments
File
KB970074_1.5.pdf

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Página inicial da Rockwell Automation
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Atualize suas preferências de cookies para continuar.
Este recurso requer cookies para melhorar sua experiência. Atualize suas preferências para permitir esses cookies:
  • Cookies de Redes Sociais
  • Cookies Funcionais
  • Cookies de Desempenho
  • Cookies de Marketing
  • Todos os Cookies
Você pode atualizar suas preferências a qualquer momento. Para mais informações, consulte nosso {0} Política de Privacidade
CloseClose