Introduction

ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service

Description

Version 1.0 - April 4, 2017

A vulnerability exists in certain ControlLogix® 5580 and CompactLogix™ 5380 Programmable Automation Controllers that, if successfully exploited, can cause a Denial of Service ("DoS") condition due to memory and/or resource exhaustion. These Programmable Automation Controllers are used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS
Note: Firmware versions (for all products) prior to FRN 28.011 are not affected by this vulnerability.

ControlLogix 5580 controllers V28.011, V28.012, and V28.013.
ControlLogix 5580 controllers V29.011.
CompactLogix 5380 controllers V28.011.
CompactLogix 5380 controllers V29.011.

VULNERABILITY DETAILS
This vulnerability may allow an attacker to intentionally send a series of specific CIP-based commands to the controller and cause either:

1. A Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service condition.
2. An inability to establish new communication connections, while the attack takes place, resulting in a temporary Denial of Service condition.
This vulnerability is remotely exploitable through CIP-based networks, including EtherNet/IP. At this- time, there is no publicly known code to exploit this vulnerability. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system, and other controls a user may have in place.

CVE-2017-6024 has been assigned to this vulnerability. A CVSS v3 base score of 6.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk.

Type of Controller	Product Family	Catalog Numbers	Suggested Actions
Standard Controller	ControlLogix 5580	All Catalog Numbers in the ControlLogix 5580 Family	Update to FRN 30.011 or later (Download)
Small Controller	CompactLogix 5380	All Catalog Numbers in the CompactLogix 5380 Family	Update to FRN 30.011 or later (Download)

GENERAL SECURITY GUIDELINES
1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
2. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
3. Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.