Published Date: April 11, 2024
Last updated: May 2, 2024
Revision Number: 2.0
May 2, 2024 - Added to products to Affected Products and Solutions section
CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in Firmware Revision
|
Corrected in Firmware Revision
|
ControlLogix® 5580
|
V35.011
|
V35.013, V36.011 and later
|
GuardLogix 5580
|
V35.011
|
V35.013, V36.011 and later
|
CompactLogix 5380
|
V35.011
|
V35.013, V36.011 and later
|
Compact GuardLogix 5380
|
V35.011
|
V35.013, V36.011 and later
|
1756-EN4TR
|
V5.001
|
V6.001 and later
|
ControlLogix 5580 Process
|
V35.011
|
V35.013, V36.011 and later
|
CompactLogix 5380 Process
|
V35.011
|
V35.013, V36.011and later
|
CompactLogix 5480
|
V35.011
|
V35.013, V36.011 and later
|
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-3493 IMPACT
A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF). If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, an MNRF could result in a loss of view and/or control of connected devices.
CVSS Base Score: 8.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS Base Score: 9.2/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CWE: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.