PN950 | Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Introduction

Description

Version 1.5 - May 13, 2019

A vulnerability exists in the Logix5000™ Programmable Automation Controller product line that, if successfully exploited, can either cause a Denial of Service ("DoS") or potentially allow an attacker to alter the operating state of the controller through a buffer overflow. Logix5000 is a product line of Programmable Automation Controllers used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; as well as automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting evaluations to help achieve completeness in its risk assessment and mitigation processes.

As of this announcement and to the knowledge of Rockwell Automation, there is no publicly available exploit code relating to this vulnerability.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply those mitigations that they deem applicable to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

UPDATE: Aug 21, 2018
New remediated firmware versions for the PowerFlex 700S drives with Phase II control with the embedded DriveLogix 5730 controller option installed have been released. See below for details.

AFFECTED PRODUCTS

UPDATE: Feb 13, 2017
Further internal investigation discovered that the DriveLogix™ platform is also affected by this vulnerability. DriveLogix is an embedded, high-performance Logix engine as a part of a PowerFlex® 700S drive solution, specifically for the PowerFlex 700S Drives with Phase II Control. Affected versions of DriveLogix, as well as mitigations to deploy for affected customers, are provided as below.

The affected firmware versions are listed, followed by a list of the products that utilize the affected firmware.

Note: Firmware versions (for all products) prior to Firmware Revision Number ("FRN ") 16.00 are not affected by this vulnerability.

• FRN 16.00
  • 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (V16.020 through V16.022)
  • ControlLogix® 5560 controllers (V16.020 thru V16.022)
  • ControlLogix L55 controllers (V16.020 thru V16.022)
  • ControlLogix 5560 Redundant controllers (All Versions)
  • GuardLogix® 5560 controllers (All Versions)
  • FlexLogix™ L34 controllers (All Versions)
  • 1769 CompactLogix™ L23x controllers (All Versions)
  • 1769 CompactLogix L3x controllers (V16.020 thru V16.023)
  • 1768 CompactLogix L4x controllers (V16.020 thru V16.025)
• FRN 17.00
  • 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (v17.003 and v17.004)
  • SoftLogix™ 5800 controllers (All Versions)
  • ControlLogix 5560 controllers (All Versions)
  • GuardLogix 5560 controllers (All Versions)
  • 1769 CompactLogix L23x controllers (All Versions)
  • 1769 CompactLogix L3x controllers (All Versions)
  • 1768 CompactLogix L4x controllers (All Versions)
• FRN 18.00
  • SoftLogix 5800 controllers (All Versions)
  • RSLogix™ Emulate 5000 (All Versions)
  • ControlLogix 5560 controllers (All Versions)
  • ControlLogix 5570 controllers (All Versions)
  • GuardLogix 5560 controllers (All Versions)
  • 1769 CompactLogix L23x controllers (All Versions)
  • 1769 CompactLogix L3x controllers (All Versions)
  • 1768 CompactLogix L4x controllers (All Versions)
  • 1768 Compact GuardLogix L4xS (All Versions)
• FRN 19.00
  • SoftLogix 5800 controllers (All Versions)
  • RSLogix Emulate 5000 (All Versions)
  • ControlLogix 5560 controllers (All Versions)
  • ControlLogix 5570 controllers (All Versions)
  • ControlLogix 5560 Redundant controllers (All Versions)
  • GuardLogix 5560 controllers (All Versions)
  • 1769 CompactLogix L23x controllers (All Versions)
  • 1769 CompactLogix L3x controllers (All Versions)
  • 1768 CompactLogix L4x controllers (All Versions)
  • 1768 Compact GuardLogix® L4xS controllers (All Versions)
• FRN 20.00
  • SoftLogix 5800 controllers (All Versions)
  • RSLogix Emulate 5000 (All Versions)
  • ControlLogix 5560 controllers (V20.010 thru V20.013)
  • ControlLogix 5570 controllers (V20.010 thru V20.013)
  • ControlLogix 5560 Redundant controllers (V20.050 thru V20.055)
  • ControlLogix 5570 Redundant controllers (V20.050 thru V20.055)
  • GuardLogix 5560 controllers (V20.010 thru V20.017)
  • GuardLogix 5570 controllers (V20.010 thru V20.017)
  • 1769 CompactLogix L23x controllers (V20.010 thru V20.013)
  • 1769 CompactLogix L3x controllers (V20.010 thru V20.013)
  • 1769 CompactLogix 5370 L1 controllers (V20.010 thru V20.013)
  • 1769 CompactLogix 5370 L2 controllers (V20.010 thru V20.013)
  • 1769 CompactLogix 5370 L3 controllers (V20.010 thru V20.013)
  • 1768 CompactLogix L4x controllers (V20.011 thru V20.016)
  • 1768 Compact GuardLogix L4xS controllers (V20.011 thru V20.013)
• FRN 21.00
  • SoftLogix 5800 controllers (All Versions)
  • RSLogix Emulate 5000 (All Versions)
  • ControlLogix 5570 controllers (All Versions)
  • ControlLogix 5570 Redundant controllers (All Versions)
  • GuardLogix 5570 controllers (All Versions)
  • 1769 CompactLogix 5370 L1 controllers (All Versions)
  • 1769 CompactLogix 5370 L2 controllers (All Versions)
  • 1769 CompactLogix 5370 L3 controllers (All Versions)

The products above are affected in the corresponding versions of firmware. Check the Updates/Risk Mitigations section below to verify that all functional versions of firmware include the latest security updates for this vulnerability in the event one of the aforementioned products is being used with a version of firmware that is not listed herein.

VULNERABILITY DETAILS

This vulnerability may allow an attacker to intentionally send a specific malformed Common Industrial Protocol ("CIP") packet to the product and cause a Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service ("DoS") condition. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the attacker to alter the operating state of the controller. This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

CVE-2016-9343 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/.

RISK MITIGATIONS

Customers using affected controllers are encouraged to upgrade to an available firmware version that addresses the associated risk.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below, are similarly recommended. Employ multiple strategies when possible.

1. Update supported products based on this table:

Note: Customers using affected versions of FlexLogix, which is a discontinued product, are urged to contact their local distributor or Sales Office in order to upgrade to newer product lines that contain the relevant mitigations.

1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances.
2. When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program mode in order to prevent other disruptive changes to your system.
3. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
4. Locate control system networks and devices behind firewalls, and isolate them from the business network.
5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

• Security Advisory Index, Knowledgebase Article ID 54102.
• ICS-CERT Advisory: Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability.

REVISION HISTORY

KCS Status