Severity:
Critical,
High
Advisory ID:
PN1616
Published Date:
January 27, 2023
Last Updated:
January 27, 2023
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2019-5097,
CVE-2019-5096
Summary
CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products
Revision History
Revision Number
1.0
Revision History
Version 1.0 – January 27, 2023
Executive Summary
Rockwell Automation is aware of multiple products that utilize the GoAhead web server application and are affected by CVE 2019-5096 and CVE 2019-5097. Exploitation of these vulnerabilities could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these vulnerabilities being exploited in Rockwell Automation products.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including impact and recommended countermeasures, are provided.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including impact and recommended countermeasures, are provided.
Affected Products
CVE -2019-5096 and CVE 2019-5097
| Catalog Number | Firmware Version |
| 1732E-8CFGM8R/A | 1.012 |
| 1732E-IF4M12R/A (discontinued) | 1.012 |
| 1732E-IR4IM12R/A | 1.012 |
| 1732E-IT4IM12R/A | 1.012 |
| 1732E-OF4M12R/A | 1.012 |
| 1732E-OB8M8SR/A | 1.013 |
| 1732E-IB8M8SOER | 1.012 |
| 1732E-8IOLM12R | 2.011 |
| 1747-AENTR | 2.002 |
| 1769-AENTR | 1.001 |
| 5069-AEN2TR | 3.011 |
| 1756-EN2TR/C | <=11.001 |
| 1756-EN2T/D | <=11.001 |
| 1756-EN2TSC/B (discontinued) | 10.01 |
| 1756-EN2TSC/B | 10.01 |
| 1756-HIST1G/A (discontinued) | <=3.054 |
| 1756-HIST2G/A(discontinued) | <=3.054 |
| 1756-HIST2G/B | <=5.103 |
CVE 2019 -5097
| Catalog Number | Firmware Version |
| ControlLogix® 5580 controllers | V28 – V32* |
| GuardLogix® 5580 controllers | V31 – V32* |
| CompactLogix™ 5380 controllers | V28 – V32* |
| Compact GuardLogix 5380 controllers | V31 – V32* |
| CompactLogix 5480 controllers | V32* |
| 1756-EN2T/D | 11.001* |
| 1756-EN2TR/C | 11.001* |
| 1765–EN3TR/B | 11.001* |
| 1756-EN2F/C | 11.001* |
| 1756-EN2TP/A | 11.001* |
* The vulnerability is only exploitable via the Ethernet port. It is not exploitable via backplane or USB communications.
Vulnerability Details
Rockwell Automation was made aware of two third-party vulnerabilities that affect the GoAhead embedded web server. A critical vulnerability (CVE-2019-5096) exists in the way requests are processed by the web server. If exploited, a malicious user could potentially leverage this vulnerability to execute arbitrary code by sending specially crafted HTTP requests to the targeted device.
Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To exploit this vulnerability, a malicious user would have to send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could potentially crash.
CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To exploit this vulnerability, a malicious user would have to send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could potentially crash.
CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVSS Base Score: 9.8/10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
CVSS Base Score: 7.5/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Risk Mitigation & User Action
We encourage customers to apply the recommended mitigations, provided below.
| Product | Suggested Actions |
| 1732E-8CFGM8R/A | Refer to Additional Mitigations |
| 1732E-IF4M12R/A | Refer to Additional Mitigations |
| 1732E-IR4IM12R/A | Refer to Additional Mitigations |
| 1732E-IT4IM12R/A | Refer to Additional Mitigations |
| 1732E-OF4M12R/A | Refer to Additional Mitigations |
| 1732E-OB8M8SR/A | Refer to Additional Mitigations |
| 1732E-IB8M8SOER | Refer to Additional Mitigations |
| 1732E-8IOLM12R | Refer to Additional Mitigations |
| 1747-AENTR | Refer to Additional Mitigations |
| 1769-AENTR | Update to 1.003 or later |
| 5069-AEN2TR (discontinued) | Migrate to the 5069-AENTR |
| 1756-EN2T/D | Update to 11.002 or later |
| 1756-EN2TR/C | Update to 11.002 or later |
| 1756-EN3TR/B | Update to 11.002 or later |
| 1756-EN2F/C | Update to 11.002 or later |
| 1756-EN2TP/A | Update to 11.002 or later |
| 1756-EN2TSC/B | Refer to Additional Mitigations |
| 1756-HIST1G/A (discontinued) | Update to series B v5.104 or C 7.100 or later |
| 1756-HIST2G/A (discontinued) | Update to series B v5.104 or C 7.100 or later |
| 1756-HIST2G/B | Update to 5.104 or later |
| 1756-EN2F/C | Update to 11.002 or later |
| ControlLogix 5580 controllers | Update to V32.016 or later |
| GuardLogix 5580 controllers | Update to V32.016 or later |
| CompactLogix 5380 controllers | Update to V32.016 or later |
| Compact GuardLogix 5380 controllers | Update to V32.016 or later |
| CompactLogix 5480 | Update to V32.016 or later |
Additional Mitigations
If updating firmware is not possible or unavailable, we recommend the following compensating controls to help minimize risk of the vulnerability.- Disable the web server, if possible. Please review the corresponding product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
- For 1732E, upgrade to the latest firmware to disable the web server.
- Configure firewalls to disallow network communication through HTTP/Port 80.
References
Copyright ©2022 Rockwell Automation, Inc.