Logix Controllers Vulnerable to Denial-of-Service Vulnerability
Published Date: October 8, 2024
Last updated: October 10, 2024
Revision Number: 2.0
CVSS Score: 8.7/10
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| CompactLogix 5380 controllers | v33.011< |
|
| Compact GuardLogix® 5380 controllers | v33.011< | |
| CompactLogix 5480 controllers | v33.011< | |
| ControlLogix 5580 controllers | v33.011< | |
| GuardLogix 5580 controllers | v33.011< | |
| 1756-EN4TR | v3.002 |
|
Mitigations and Workarounds
Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
VULNERABILITY DETAILS
CVE-2024-8626 IMPACT
Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 7.5/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score: 8.7/10 (high)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: 400 – Uncontrolled Resource Consumption
ADDITIONAL RESOURCES
