PN1043 | PowerFlex 525 AC Drives with Embedded EtherNet/IP Port Communication Denial of Service

Introduction

Description

Version 1.1 - March 29, 2019
Version 1.0 – March 28, 2019

Rockwell Automation received a report from security researcher Nicholas Merle of Applied Risk regarding a communication disruption/Denial of Service vulnerability in the embedded Ethernet port of PowerFlex® 525 AC drives.

A firmware upgrade to the PowerFlex 525 drive corrects this vulnerability. We encourage affected customers to evaluate the mitigations provided below and apply the appropriate mitigations based on their deployed products. Additional details relating to the discovered vulnerability, including affected product versions and mitigation actions, are provided herein.

AFFECTED PRODUCTS

PowerFlex 525 AC Drives with Embedded EtherNet/IP Port

• Firmware revisions 5.001 and earlier

Note: The 25-COMM-E2P Dual-Port EtherNet/IP Adapter, sometimes used with the PowerFlex 525 AC Drive, is not affected by this vulnerability.

VULNERABILITY DETAILS

A remote, unauthenticated threat actor who gains access to the Ethernet network containing a PowerFlex 525 drive can repeatedly send specific CIP packets to an affected PowerFlex 525 drive. These repeated packets can result in resource exhaustion, denial of service, and/or memory corruption. The affected drive will also be in a state where new messages cannot be received by the drive over its embedded EtherNet/IP port, including over existing CIP explicit messaging connections. The resource exhaustion affects EtherNet/IP explicit messaging to the drive, including establishing new (or reestablishing lost) CIP I/O connections to the drive. However, existing CIP I/O connections to the drive will continue to operate normally. A manual reboot is required in order to restore the normal functioning of the device.

CVE-2018-19282 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected firmware revisions are encouraged to update to an available firmware revision that addresses the vulnerability. Customers who are unable to update their firmware are encouraged to employ one or more of the general security guidelines in the next section of this document.

GENERAL SECURITY GUIDELINES

• Utilize proper network infrastructure controls, such as firewalls, to help ensure that CIP™ messages from unauthorized sources are blocked.
• Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
• If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet or the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the vulnerability handling process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing Rockwell Automation and Cisco validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• Applied Risk – Rockwell Automation PowerFlex 525 Denial of Service
• [ICS-CERT/NCCIC] ICSA-19-087-01 PowerFlex 525 AC Drives

REVISION HISTORY

KCS Status