Introduction
Description
Version 1.0 - November 6, 2018
Rockwell Automation received a report from ICS-CERT regarding a vulnerability that exists in certain products that, if successfully exploited, can allow a threat actor to disrupt Ethernet communication by allowing Internet Protocol (IP) configuration changes to the affected device in the system. The affected products include MicroLogix™ 1400 controllers, and 1756 ControlLogix® Ethernet/IP Communications Modules.
These products currently adhere to the ODVA EtherNet/IP standard. We have addressed the risks exposed by this specific issue, and have taken additional action with ODVA to produce a standard that improves the security protocol utilized by industrial automation devices including those developed by Rockwell Automation.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details, including affected product versions and mitigation actions, are provided herein.
AFFECTED PRODUCTS
MicroLogix 1400 Controllers
- Series A, All Versions
- Series B, v21.003 and earlier
- Series C, v21.003 and earlier
1756 ControlLogix EtherNet/IP Communications Modules
- 1756-ENBT, All Versions
- 1756-EWEB
- Series A, All Versions
- Series B, All Versions
- 1756-EN2F
- Series A, All Versions
- Series B, All Versions
- Series C, v10.10 and earlier
- 1756-EN2T
- Series A, All Versions
- Series B, All Versions
- Series C, All Versions
- Series D, v10.10 and earlier
- 1756-EN2TR
- Series A, All Versions
- Series B, All Versions
- Series C, v10.10 and earlier
- 1756-EN3TR
- Series A, All Versions
- Series B, v10.10 and earlier
VULNERABILITY DETAILS
An unauthenticated, remote threat actor could potentially send a CIP connection request to an affected device and, upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system. Reason being, the system traffic is still attempting to communicate with the device via the IP address that was overwritten.
Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update their firmware are directed towards additional risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Family | Catalog Numbers | Suggested Actions |
MicroLogix™ 1400 Controllers | 1766-Lxxx, Series A | No direct mitigation provided. See NOTE: below for recommended actions. |
MicroLogix™ 1400 Controllers | 1766-Lxxx, Series B or C | 1. Apply FRN 21.004 and later (Download) 2. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes. See the MicroLogix 1400 Programmable Controllers User Manual for details. |
1756 EtherNet/IP Web Server Module | 1756-EWEB, All Series | No direct mitigation provided. See NOTE: below for recommended actions. |
1756 ControlLogix® EtherNet/IP Communications Modules | 1756-ENBT, All Versions 1756-EN2F Series A, All versions Series B, All versions 1756-EN2T Series A, All Versions Series B, All Versions Series C, All Versions 1756-EN2TR Series A, All Versions Series B, All Versions 1756-EN3TR Series A | No direct mitigation provided. See NOTE: below for recommended actions. |
1756 ControlLogix® EtherNet/IP Communications Modules | 1756-EN2F, Series C 1756-EN2T, Series D 1756-EN2TR, Series C 1756-EN3TR, Series B | 1. Apply FRN 11.001 and later (Download) 2. Once the new FRN is applied, enable Explicit Protected Mode. See the EtherNet/IP Network Configuration User Manual for details. |
NOTE: Customers that are sent here from the Suggested Action column above are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICS-CERT Advisory (ICSA-18-310-02)
REVISION HISTORY
Date | Version | Details |
06-Nov-2018 | 1.0 | Initial Release. |