Rockwell Automation ControlLogix 5580 and CompactLogix 5380 Uncontrolled Resource Consumption (CVE-2017-6024)

medium Tenable OT Security Plugin ID 500235

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A Resource Exhaustion issue was discovered in Rockwell Automation ControlLogix 5580 controllers V28.011, V28.012, and V28.013; ControlLogix 5580 controllers V29.011; CompactLogix 5380 controllers V28.011; and CompactLogix 5380 controllers V29.011. This vulnerability may allow an attacker to cause a denial of service condition by sending a series of specific CIP-based commands to the controller.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation recommends updating to the latest version of ControlLogix 5580 controllers, Version 30.011 or later, which is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=1756-L8&crumb=112

Rockwell Automation recommends updating to the latest version of CompactLogix 5380 controllers, Version 30.011 or later, which is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=5069-L&crumb=112

For more information on this vulnerability and more detailed mitigation instructions, please see Rockwell Automation’s advisory labeled ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service, Version 1.0, April 4, 2017, at the following location:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1041420

As well as Rockwell Automation’s security page:

http://www.rockwellautomation.com/security/overview.page

ICS-CERT and Rockwell Automation recommend that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818/TCP and UDP using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270 which is available at the following location:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/898270

- Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network. The Common Plant-wide Ethernet (CPwE) guide provides recommendations for deploying a plant-wide architecture: Industrial Firewalls within a CPwE Architecture
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-17-094-05

http://www.securityfocus.com/bid/98309

http://www.nessus.org/u?3cc5d21c

Plugin Details

Severity: Medium

ID: 500235

Version: 1.11

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 10/8/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2017-6024

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rockwellautomation:controllogix_5580_firmware:v29.011, cpe:/o:rockwellautomation:controllogix_5580_firmware:v28.011, cpe:/o:rockwellautomation:controllogix_5580_firmware:v28.013, cpe:/o:rockwellautomation:compactlogix_5380_firmware:v29.011, cpe:/o:rockwellautomation:controllogix_5580_firmware:v28.012, cpe:/o:rockwellautomation:compactlogix_5380_firmware:v28.011

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 5/6/2017

Vulnerability Publication Date: 5/6/2017

Reference Information

CVE: CVE-2017-6024

CWE: 400

ICSA: 17-094-05