PN648 | ControlLogix 1756-EN2T EtherNet/IP Bridge Firmware Upgrade Security Vulnerability

Introduction

Description

June 15, 2011 - Version 1.0

Rockwell Automation has identified a security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-EN2T EtherNet/IP Bridge Module (the "Product"). This vulnerability affects the following products:

• 1756-EN2T Series A; 1756-EN2T Series B; 1756-EN2T Series C

Details of this vulnerability are as follows:

The potential exists for the Product to accept an altered or corrupted firmware image during its upgrade process that may render the Product inoperable or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

Rockwell Automation is currently planning to release enhanced firmware for the Product around February, 2012. This forthcoming firmware will include product-level firmware authentication and verification. This firmware release will be digitally signed. Once applied to the Product, any subsequent Product upgrades will require firmware that includes a valid Rockwell Automation digital signature for authentication purposes.

To immediately help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:

1. Obtain product firmware only from trusted manufacturer sources.
   
2. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
   
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
   
4. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status