Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow (CVE-2016-9343)

critical Tenable OT Security Plugin ID 500092

Synopsis

The remote OT asset is affected by a vulnerability.

Description

An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation has released new firmware versions to mitigate the identified vulnerability in the affected Logix5000 Controllers, with the exception of the FlexLogix controller, which has been discontinued and is no longer supported.

Rockwell Automation encourages users to install the new firmware version listed below (Catalog Numbers, “CN”, in parenthesis):

- DriveLogix 5730 (Embedded Controller Option with PowerFlex 700S) v16.23 (Catalog numbers beginning with 20D with a “K” or “L” in the 17th position);
- DriveLogix 5730 (Embedded Controller Option with PowerFlex 700S) v17.05 (Catalog numbers beginning with 20D with a “K” or “L” in the 17th position);

For more information about these catalog numbers, see Page 10 of the PowerFlex 700S Drives with Phase II Control Technical Data document.

- SoftLogix 5800 v23.00 and above (CN 1789-Lx);
- RSLogix Emulate 5000 v23.00 and above (CN 9310-Wx);
- ControlLogix L55 v16.023 and above (CN 1756-L55x);
- ControlLogix 5560 v16.023 and above (CN 1756-L6);
- ControlLogix 5560 v20.014 and above (CN 1756-L6);
- ControlLogix 5570 v20.014 and above (CN 1756-L7);
- ControlLogix 5570 v23.012 and above (CN 1756-L7);
- ControlLogix 5570 v24 and above (CN 1756-L7);
- ControlLogix 5560 Redundant v20.056 and above (CN 1756-L6);
- ControlLogix 5570 Redundant v20.056 and above (CN 1756-L7);
- ControlLogix 5570 Redundant v24.052 and above (CN 1756-L7);
- CompactLogix L23x and L3x v20.014 and above (CN 1769-L23, 1769-L31, 1769-L32, 1769-L35);
- CompactLogix 5370 L1, L2, and L3 Controllers v20.014 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix 5370 L1, L2, and L3 Controllers v23.012 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix 5370 L1, L2, and L3 Controllers v24 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix L4x v16.026 (Series A, B, and C) and v16.027 and above (Series D) (CN 1768-L4x);
- CompactLogix L4x v20.014 and above (Series A, B, and C) and v20.016 and above (Series D) (CN 1768-L4x);
- Compact GuardLogix L4xS v20.018 and above (CN 1768-L4xS);
- GuardLogix 5560 v20.018 and above (CN 1756-L6S);
- GuardLogix 5570 v20.018 and above (CN 1756-L7S);
- GuardLogix 5570 v23.012 and above (CN 1756-L7S); and
- GuardLogix 5570 v24 and above (CN 1756-L7S).

Rockwell Automation’s new firmware versions are available at the following URL:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx

Rockwell Automation’s security notification is available at the following URL, with a valid account:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/970074

Rockwell Automation recommends that users apply additional precautions and risk mitigation strategies to this type of attack, when possible, which could include the following:

- Use proper network infrastructure controls, such as firewalls, to help confirm that requests from unauthorized sources are blocked.
- Block all traffic to affected devices from outside the Manufacturing Zone by blocking or restricting access to Port 2222 TCP/UDP and Port 44818 TCP/UDP, using network infrastructure controls, such as firewalls, or other security appliances.
- When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program in order to prevent other disruptive changes to the system.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-16-343-05

http://www.securityfocus.com/bid/95304

http://www.nessus.org/u?6442c056

Plugin Details

Severity: Critical

ID: 500092

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-9343

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rockwellautomation:controllogix_l55_controller_firmware, cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware, cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware, cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware, cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware, cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware, cpe:/o:rockwellautomation:flexlogix_l34_controller_firmware, cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware, cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware, cpe:/o:rockwellautomation:controllogix_5570_controller_firmware, cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware, cpe:/o:rockwellautomation:controllogix_5560_controller_firmware, cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware, cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware, cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware, cpe:/o:rockwellautomation:softlogix_5800_controller_firmware

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 2/13/2017

Vulnerability Publication Date: 2/13/2017

Reference Information

CVE: CVE-2016-9343

CWE: 787

ICSA: 16-343-05