Rockwell Automation 1756-EWEB <= 5.001 and 1768-EWEB <= 2.005 SNMP Denial of Service

high Nessus Network Monitor Plugin ID 720156

Synopsis

A remote attacker could send a crafted UDP packet to the SNMP service causing a denial-of-service condition to occur until the affected product is restarted.

Description

An unauthenticated, remote threat actor could send a crafted UDP packet to the affected product's SNMP service. This can be a zero length SNMP packet (to recreate use: hping3 -2 -p 161). Improper handling of this crafted packet could result in a denial of service for SNMP; port 161 stops receiving messages until the device is power-cycled. The web UI may show that the service is running even if it is not available. The control functionality of the device is unaffected.

Solution

Disable the SNMP service if not in use.

See Also

https://www.tenable.com/security/research/tra-2019-06,https://ics-cert.us-cert.gov/advisories/ICSA-19-036-02,https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1084268

Plugin Details

Severity: High

ID: 720156

Family: SCADA

Published: 5/8/2019

Updated: 9/30/2019

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2/5/2019

Vulnerability Publication Date: 2/5/2019

Reference Information

CVE: CVE-2018-19016