Introduction
Description
Version 1.1 - Feb 06, 2019
Version 1.0 - Feb 04, 2019
Rockwell Automation received a report from researchers at Tenable regarding a potential vulnerability which affects EtherNet/IP™ Web Server modules that, if successfully exploited, can allow a threat actor to deny communication with the Simple Network Management Protocol (SNMP) service until the device can be restarted.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply them appropriately to deployed products.
AFFECTED PRODUCTS
EtherNet/IP Web Server Modules
- 1756-EWEB (includes 1756-EWEBK), v5.001 and earlier
CompactLogix™ Controller EtherNet/IP Web Server Module
- 1768-EWEB, v2.005 and earlier
VULNERABILITY DETAILS
An unauthenticated, remote threat actor could potentially send a crafted UDP packet to the affected product’s SNMP service. Improper handling of this crafted packet could result in a denial of service for SNMP; port 161 stops receiving messages until the device is power-cycled. The web UI may show that the service is running even if it is not available. The control functionality of the device is unaffected.
CVE-2018-19016 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed and, if necessary, contact their local distributor or Sales Office.
| Product Family | Catalog Numbers | Suggested Actions |
| EtherNet/IP Web Server Module | 1756-EWEB Series A, All Versions Series B, All Versions |
|
| CompactLogix EtherNet/IP Web Server Module | 1768-EWEB, All Versions |
|
NOTE: Customers are urged to evaluate their level of risk and, if necessary, contact their local distributor or Sales Office.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP messages from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the manufacturing zone by blocking or restricting access to UDP port 161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ICSA-19-036-02 Rockwell Automation EtherNet/IP Web Server Modules
- [Tenable] Rockwell Automation EWEB SNMP Denial of Service
REVISION HISTORY
| Date | Version | Details |
| 06-Feb-2019 | 1.1 | ICS-CERT and Tenable Advisory links added |
| 04-Feb-2019 | 1.0 | Initial Release |
KCS Status
