Severity:
Critical
Advisory ID:
PN1564
Date de publication:
April 28, 2021
Date de la dernière mise à jour:
April 28, 2021
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2016-20009
Résumé
DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products
Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 26, 2021. Initial release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.
Executive Summary
On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.
Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.
Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.
Affected Products
| Product Family | Catalogs | Affected Versions |
| Compact 5000™ I/O EtherNet/IP Adapter | 5069-AEN2TR | All versions. |
| CompactLogix 5370 | 1769-L1y 1769-L2y 1769-L3y | All versions prior to v30. |
| 1769-L3yS | All versions prior to v30, excluding v28.015 | |
| ControlLogix® 5580 | 1756-L8 | All versions prior to v30. |
| CompactLogix 5380 | 5069-L3 | All versions prior to v30. |
| ControlLogix EtherNet/IP Module | 1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A | All versions prior to v11.001. |
| 1756-EN2TP/A | All versions prior to v10.020. |
Note: GuardLogix® 5580 and Compact GuardLogix® 5380 are not affected by this vulnerability.
Vulnerability Details
CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.
CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.
CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Catalogs | Suggested Actions |
| Compact 5000™ I/O EtherNet/IP Adapter | 5069-AEN2TR | Will not be patched. Suggested action is to migrate to the 5069-AENTR. |
| CompactLogix 5370 | 1769-L1y 1769-L2y 1769-L3y | Apply v30 or later. |
| 1769-L3yS | Apply v28.015 or v30 or later | |
| ControlLogix® 5580 | 1756-L8 | Apply v30 or later. |
| CompactLogix 5380 | 5069-L3 | Apply v30 or later. |
| ControlLogix EtherNet/IP Module | 1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A | Apply v11.001 or later. |
| 1756-EN2TP/A | Apply v10.020 or later. |
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- CVE-2016-20009
Copyright ©2022 Rockwell Automation, Inc.