Rockwell Automation has new firmware to mitigate an improper input validation vulnerability in its Allen-Bradley CompactLogix and Compact GuardLogix, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Alexey Perepechko of Applied Risk, could result in a denial-of-service condition. As a result, the controller goes into a Major Non-Recoverable Fault (MNRF) state, which is considered safe. However, recovery requires the user to download the application program again.
In addition, Rockwell determined there were additional products affected by the vulnerability and reported this information to NCCIC.
The following products suffer from the issue:
• Allen-Bradley CompactLogix 5370 L1 controllers, Versions 30.014 and prior
• Allen-Bradley CompactLogix 5370 L2 controllers, Versions 30.014 and prior
• Allen-Bradley CompactLogix 5370 L3 controllers, Versions 30.014 and prior
• Allen-Bradley Armor CompactLogix 5370 L3 controllers, Versions 30.014 and prior
• Allen-Bradley Compact GuardLogix 5370 controllers, Versions 30.014 and prior
• Allen-Bradley Armor Compact GuardLogix 5370 controllers, Versions 30.014 and prior
This vulnerability may allow an attacker to intentionally send a specific TCP packet to the product and cause a Major Non-Recoverable Fault (MNRF), resulting in a denial-of-service condition.
CVE-2017-9312 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
The product sees use in the chemical, critical manufacturing, food and agriculture, transportation systems, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Rockwell recommends users with affected controllers apply firmware revision FRN (31.011 or later) to the affected products. Click here to download the update.
Users who are unable to update are directed to employ the following general security guidelines:
• Block all traffic to Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818/TCP and UDP using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270 (login required).
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
When possible, users are recommended to apply the firmware revision in conjunction with the general security guidelines to employ multiple strategies simultaneously.
For more information on this vulnerability and more detailed mitigation instructions, access an account in order to view Rockwell Automation’s advisory.