Modbus TCP AOI Server Could Leak Sensitive Information

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This vulnerability may allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

• Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
  • Customers who do not use the AOI with a controller are not impacted.
  • The Modbus TCP Client AOI, that is a part of this sample code library, does not have this vulnerability.

Vulnerability Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an unauthorized user could potentially send a malformed message causing the controller to respond with a copy of the most recent response to the last valid request. If exploited, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this vulnerability without knowing the Modbus address of the last valid request.


CVSS v3.1 Base Score: 5.3/10[medium]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products.

Products Affected	First Known Version Affected	Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code	2.00.00	This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

• PN1354 - Industrial Security Advisory Index
• CVE-2023-0027 JSON

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.