Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2012-6440 (GCVE-0-2012-6440)
Vulnerability from cvelistv5 – Published: 2013-01-24 21:00 – Updated: 2025-06-30 22:03
VLAI?
EPSS
Title
Rockwell Automation ControlLogix PLC Improper Input Validation
Summary
The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Affected:
All
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Credits
This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T22:03:01.214Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "INTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Input Validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eTo mitigate the vulnerability with the Web server password authentication mechanism:\u003c/p\u003e\u003col\u003e\u003cli\u003eUpgrade the MicroLogix 1400 firmware to FRN 12 or higher.\u003c/li\u003e\u003cli\u003eBecause of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\u003c/li\u003e\u003cli\u003eWhere possible, disable the Web server and change all default Administrator and Guest passwords.\u003c/li\u003e\u003cli\u003eIf Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as:\u003col\u003e\u003cli\u003eWhen a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\u003c/li\u003e\u003cli\u003eWhen a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eIf Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\n\n\n\n\nTo mitigate the vulnerability with the Web server password authentication mechanism:\n\n * Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.\n * Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\n * Where possible, disable the Web server and change all default Administrator and Guest passwords.\n * If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: * When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\n * When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\n\n * If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6440",
"datePublished": "2013-01-24T21:00:00.000Z",
"dateReserved": "2012-12-26T00:00:00.000Z",
"dateUpdated": "2025-06-30T22:03:01.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"20\", \"matchCriteriaId\": \"37F4D4ED-1915-4155-9F0A-691771AA534B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"20\", \"matchCriteriaId\": \"A2F8B5EE-C1BA-4CFB-B17F-C59BCDB41503\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1100\", \"matchCriteriaId\": \"DE554CCC-0A46-43D4-8D7D-44200BB7D314\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1400\", \"matchCriteriaId\": \"8D3B4218-4483-4FAE-9915-8937F40AED27\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"19\", \"matchCriteriaId\": \"FE7219A5-4759-4143-B89F-869D49CAAFF7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"330E9A05-C869-41B1-BB28-FD2A7C7ED0CE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2AD7D5DB-4A49-421A-8C6C-B9E6DA0A499B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DD44B55C-BDD7-41CC-91A9-F31ED2FC69E2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C91D5245-DED2-469C-A800-62109F8159C9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\\\/o_ethernet\\\\/ip_adapter:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0BD25E6B-6AE1-4B8C-A086-F5E152CAAA60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"18\", \"matchCriteriaId\": \"AA199887-E8F7-48EE-B1E0-9EF2E439DACE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"19\", \"matchCriteriaId\": \"A763D845-B091-47A4-8A29-A1CD19C1E4F2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"19B8ED27-2512-4A42-973C-99D300963046\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7EFC590C-01C1-48D1-A5BE-0F70BE7F36B9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"18\", \"matchCriteriaId\": \"4FE24B9B-9F7D-4D8F-A674-F04FC9F9F8BC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"887A3369-548C-42B0-82C5-92CB161D3B7A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"18\", \"matchCriteriaId\": \"E98626DD-BC79-473E-B25F-92C9BA12F6DD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"18\", \"matchCriteriaId\": \"D83AF504-2845-4022-BA8E-52F4FB773EA4\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.\"}, {\"lang\": \"es\", \"value\": \"La funcionalidad de autenticaci\\u00f3n web-server en los productos Rockwell Automation EtherNet/IP; m\\u00f3dulos de comunicaci\\u00f3n 1756-ENBT, 1756-EWEB, 1768-ENBT, y 1768-EWEB; controlodares CompactLogix L32E y L35E; adaptador 1788-ENBT FLEXLogix; adaptador 1794-AENTR FLEX I/O EtherNet/IP; ControlLogix 18 y anteriores; CompactLogix 18 y anteriores; GuardLogix 18 y anteriores; SoftLogix 18 y anteriores; controladores CompactLogix 19 y anteriores; controladores SoftLogix 19 y anteriores; controladores ControlLogix 20 y anteriores; controladores GuardLogix 20 y anteriores; MicroLogix 1100 y 1400 permiten ataques man-in-the-middle conducir ataques de repetici\\u00f3n por tr\\u00e1fico HTTP.\"}]",
"id": "CVE-2012-6440",
"lastModified": "2024-11-21T01:46:07.900",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 9.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2013-01-24T21:55:01.697",
"references": "[{\"url\": \"http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}]",
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2012-6440\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2013-01-24T21:55:01.697\",\"lastModified\":\"2025-06-30T22:15:29.253\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\\n\\n\\n\\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\"},{\"lang\":\"es\",\"value\":\"La funcionalidad de autenticaci\u00f3n web-server en los productos Rockwell Automation EtherNet/IP; m\u00f3dulos de comunicaci\u00f3n 1756-ENBT, 1756-EWEB, 1768-ENBT, y 1768-EWEB; controlodares CompactLogix L32E y L35E; adaptador 1788-ENBT FLEXLogix; adaptador 1794-AENTR FLEX I/O EtherNet/IP; ControlLogix 18 y anteriores; CompactLogix 18 y anteriores; GuardLogix 18 y anteriores; SoftLogix 18 y anteriores; controladores CompactLogix 19 y anteriores; controladores SoftLogix 19 y anteriores; controladores ControlLogix 20 y anteriores; controladores GuardLogix 20 y anteriores; MicroLogix 1100 y 1400 permiten ataques man-in-the-middle conducir ataques de repetici\u00f3n por tr\u00e1fico HTTP.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"20\",\"matchCriteriaId\":\"37F4D4ED-1915-4155-9F0A-691771AA534B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"20\",\"matchCriteriaId\":\"A2F8B5EE-C1BA-4CFB-B17F-C59BCDB41503\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1100\",\"matchCriteriaId\":\"DE554CCC-0A46-43D4-8D7D-44200BB7D314\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1400\",\"matchCriteriaId\":\"8D3B4218-4483-4FAE-9915-8937F40AED27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"19\",\"matchCriteriaId\":\"FE7219A5-4759-4143-B89F-869D49CAAFF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"330E9A05-C869-41B1-BB28-FD2A7C7ED0CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AD7D5DB-4A49-421A-8C6C-B9E6DA0A499B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD44B55C-BDD7-41CC-91A9-F31ED2FC69E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C91D5245-DED2-469C-A800-62109F8159C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\\\/o_ethernet\\\\/ip_adapter:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0BD25E6B-6AE1-4B8C-A086-F5E152CAAA60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"18\",\"matchCriteriaId\":\"AA199887-E8F7-48EE-B1E0-9EF2E439DACE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"19\",\"matchCriteriaId\":\"A763D845-B091-47A4-8A29-A1CD19C1E4F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"19B8ED27-2512-4A42-973C-99D300963046\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7EFC590C-01C1-48D1-A5BE-0F70BE7F36B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"18\",\"matchCriteriaId\":\"4FE24B9B-9F7D-4D8F-A674-F04FC9F9F8BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"887A3369-548C-42B0-82C5-92CB161D3B7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"18\",\"matchCriteriaId\":\"E98626DD-BC79-473E-B25F-92C9BA12F6DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"18\",\"matchCriteriaId\":\"D83AF504-2845-4022-BA8E-52F4FB773EA4\"}]}]}],\"references\":[{\"url\":\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]}]}}"
}
}
CERTA-2013-AVI-047
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Rockwell Automation Controllogix. Elles concernent des dénis de services à distance et des atteintes à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | 1768-ENBT | ||
| N/A | N/A | MicroLogix 1400 | ||
| N/A | N/A | 1768-EWEB | ||
| N/A | N/A | 1788-ENBT | ||
| N/A | N/A | 1756-EWEB | ||
| N/A | N/A | 1794-AENTR | ||
| N/A | N/A | CompactLogix L32 et L35E | ||
| N/A | N/A | 1756-ENBT | ||
| N/A | N/A | ControlLogix, CompactLogix, GuardLogix, SoftLogix, version 18 et antérieures | ||
| N/A | N/A | MicroLogix 1100 | ||
| N/A | N/A | EtherNet/IP |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "1768-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "MicroLogix 1400",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1768-EWEB",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1788-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1756-EWEB",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1794-AENTR",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "CompactLogix L32 et L35E",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1756-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ControlLogix, CompactLogix, GuardLogix, SoftLogix, version 18 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "MicroLogix 1100",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "EtherNet/IP",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2012-6441",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6441"
},
{
"name": "CVE-2012-6437",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6437"
},
{
"name": "CVE-2012-6442",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6442"
},
{
"name": "CVE-2012-6435",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6435"
},
{
"name": "CVE-2012-6438",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6438"
},
{
"name": "CVE-2012-6436",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6436"
},
{
"name": "CVE-2012-6439",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6439"
},
{
"name": "CVE-2012-6440",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6440"
}
],
"links": [],
"reference": "CERTA-2013-AVI-047",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-01-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eRockwell Automation Controllogix\u003c/span\u003e. Elles concernent\ndes d\u00e9nis de services \u00e0 distance et des atteintes \u00e0 la confidentialit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le syst\u00e8me SCADA Rockwell Automation Controllogix",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 ICSA-13-011-03 du 11 janvier 2013",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
CERTA-2013-AVI-047
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Rockwell Automation Controllogix. Elles concernent des dénis de services à distance et des atteintes à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | 1768-ENBT | ||
| N/A | N/A | MicroLogix 1400 | ||
| N/A | N/A | 1768-EWEB | ||
| N/A | N/A | 1788-ENBT | ||
| N/A | N/A | 1756-EWEB | ||
| N/A | N/A | 1794-AENTR | ||
| N/A | N/A | CompactLogix L32 et L35E | ||
| N/A | N/A | 1756-ENBT | ||
| N/A | N/A | ControlLogix, CompactLogix, GuardLogix, SoftLogix, version 18 et antérieures | ||
| N/A | N/A | MicroLogix 1100 | ||
| N/A | N/A | EtherNet/IP |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "1768-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "MicroLogix 1400",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1768-EWEB",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1788-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1756-EWEB",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1794-AENTR",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "CompactLogix L32 et L35E",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1756-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ControlLogix, CompactLogix, GuardLogix, SoftLogix, version 18 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "MicroLogix 1100",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "EtherNet/IP",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2012-6441",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6441"
},
{
"name": "CVE-2012-6437",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6437"
},
{
"name": "CVE-2012-6442",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6442"
},
{
"name": "CVE-2012-6435",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6435"
},
{
"name": "CVE-2012-6438",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6438"
},
{
"name": "CVE-2012-6436",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6436"
},
{
"name": "CVE-2012-6439",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6439"
},
{
"name": "CVE-2012-6440",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6440"
}
],
"links": [],
"reference": "CERTA-2013-AVI-047",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-01-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eRockwell Automation Controllogix\u003c/span\u003e. Elles concernent\ndes d\u00e9nis de services \u00e0 distance et des atteintes \u00e0 la confidentialit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le syst\u00e8me SCADA Rockwell Automation Controllogix",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 ICSA-13-011-03 du 11 janvier 2013",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
VAR-201301-0157
Vulnerability from variot - Updated: 2023-12-18 12:09The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic. plural Rockwell Automation Product Web The server password authentication function contains a vulnerability that allows replay attacks to be performed.Man-in-the-middle attacks (man-in-the-middle attack) By HTTP Through traffic, replay attacks can be performed. Rockwell Automation MicroLogix is a programmable controller platform. Rockwell's products are affected by this vulnerability: all EtherNet/IP products that comply with CIP and EtherNet/IP specifications. Attackers can exploit this vulnerability to bypass certain security restrictions, perform unauthorized actions; which may aid in further attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201301-0157",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "1794-aentr flex i\\/o ethernet\\/ip adapter",
"scope": "eq",
"trust": 1.6,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "flexlogix 1788-enbt adapter",
"scope": "eq",
"trust": 1.6,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "compactlogix controllers",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "19"
},
{
"model": "micrologix",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "1100"
},
{
"model": "micrologix",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "1400"
},
{
"model": "1756-enbt",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "1768-enbt",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "compactlogix",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "18"
},
{
"model": "softlogix controllers",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "19"
},
{
"model": "guardlogix controllers",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "20"
},
{
"model": "compactlogix l35e controller",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "1756-eweb",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "1768-eweb",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "controllogix",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "18"
},
{
"model": "guardlogix",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "18"
},
{
"model": "softlogix",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "18"
},
{
"model": "compactlogix l32e controller",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "controllogix controllers",
"scope": "lte",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": "20"
},
{
"model": "1756-enbt",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "1756-eweb",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "1768-enbt",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "1768-eweb",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "compactlogix l32e controller",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "compactlogix l35e controller",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "compactlogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "18"
},
{
"model": "compactlogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "19"
},
{
"model": "controllogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "18"
},
{
"model": "controllogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "20"
},
{
"model": "flex i/o ethernet/ip adapter 1794-aentr",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "flexlogix 1788-enbt",
"scope": null,
"trust": 0.8,
"vendor": "rockwell automation",
"version": null
},
{
"model": "guardlogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "18"
},
{
"model": "guardlogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "20"
},
{
"model": "micrologix",
"scope": "eq",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "1100"
},
{
"model": "micrologix",
"scope": "eq",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "1400"
},
{
"model": "softlogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "18"
},
{
"model": "softlogix controller",
"scope": "lte",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "19"
},
{
"model": "automation controllogix",
"scope": null,
"trust": 0.6,
"vendor": "rockwell",
"version": null
},
{
"model": "automation micrologix",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwell",
"version": "1100"
},
{
"model": "automation micrologix",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwell",
"version": "1400"
},
{
"model": "guardlogix controllers",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "20"
},
{
"model": "micrologix",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "1100"
},
{
"model": "softlogix",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "18"
},
{
"model": "guardlogix",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "18"
},
{
"model": "controllogix controllers",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "20"
},
{
"model": "compactlogix controllers",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "19"
},
{
"model": "micrologix",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "1400"
},
{
"model": "softlogix controllers",
"scope": "eq",
"trust": 0.6,
"vendor": "rockwellautomation",
"version": "19"
},
{
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "micrologix",
"version": "*"
},
{
"model": "automation softlogix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "19"
},
{
"model": "automation softlogix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "18"
},
{
"model": "automation micrologix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "14000"
},
{
"model": "automation micrologix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "11000"
},
{
"model": "automation guardlogix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "20"
},
{
"model": "automation guardlogix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "18"
},
{
"model": "automation compactlogix l35e",
"scope": null,
"trust": 0.3,
"vendor": "rockwell",
"version": null
},
{
"model": "automation compactlogix l32e",
"scope": null,
"trust": 0.3,
"vendor": "rockwell",
"version": null
},
{
"model": "automation compactlogix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "19"
},
{
"model": "automation compactlogix",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "18"
},
{
"model": "automation 1794-aentr",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "0"
},
{
"model": "automation 1788-enbt",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "0"
},
{
"model": "automation 1768-eweb",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "0"
},
{
"model": "automation 1768-enbt",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "0"
},
{
"model": "automation 1756-enbt",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "0"
},
{
"model": "automation 1756-en2t series b",
"scope": "eq",
"trust": 0.3,
"vendor": "rockwell",
"version": "0"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "controllogix controllers",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "guardlogix controllers",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "softlogix controllers",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "1756 enbt",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "1756 eweb",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "1768 enbt",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "1768 eweb",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "1794 aentr flex i o ethernet ip adapter",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "compactlogix",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "compactlogix controllers",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "compactlogix l32e controller",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "compactlogix l35e controller",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "controllogix",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "flexlogix 1788 enbt adapter",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "guardlogix",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "softlogix",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "BID",
"id": "57315"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "20",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1100",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "19",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "19",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "20",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1400",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2012-6440"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Rockwell Automation engineers",
"sources": [
{
"db": "BID",
"id": "57315"
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
],
"trust": 0.9
},
"cve": "CVE-2012-6440",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2012-6440",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "207536e4-2353-11e6-abef-000c29c66e3d",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-59721",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2012-6440",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201301-461",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-59721",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-59721"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic. plural Rockwell Automation Product Web The server password authentication function contains a vulnerability that allows replay attacks to be performed.Man-in-the-middle attacks (man-in-the-middle attack) By HTTP Through traffic, replay attacks can be performed. Rockwell Automation MicroLogix is a programmable controller platform. Rockwell\u0027s products are affected by this vulnerability: all EtherNet/IP products that comply with CIP and EtherNet/IP specifications. \nAttackers can exploit this vulnerability to bypass certain security restrictions, perform unauthorized actions; which may aid in further attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "BID",
"id": "57315"
},
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-59721"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2012-6440",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-13-011-03",
"trust": 3.4
},
{
"db": "BID",
"id": "57315",
"trust": 1.0
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2013-00292",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268",
"trust": 0.8
},
{
"db": "IVD",
"id": "207536E4-2353-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-59721",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "VULHUB",
"id": "VHN-59721"
},
{
"db": "BID",
"id": "57315"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"id": "VAR-201301-0157",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "VULHUB",
"id": "VHN-59721"
}
],
"trust": 1.6410444866666667
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
}
]
},
"last_update_date": "2023-12-18T12:09:30.593000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.rockwellautomation.com/"
},
{
"title": "Partner",
"trust": 0.8,
"url": "http://jp.rockwellautomation.com/applications/gs/ap/gsjp.nsf/pages/partner"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://jp.rockwellautomation.com/"
},
{
"title": "Patch for Rockwell Automation ControlLogix Replay Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/29251"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-59721"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "NVD",
"id": "CVE-2012-6440"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "http://www.us-cert.gov/control_systems/pdf/icsa-13-011-03.pdf"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-6440"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-6440"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/57315"
},
{
"trust": 0.3,
"url": "http://www.rockwellautomation.com/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "VULHUB",
"id": "VHN-59721"
},
{
"db": "BID",
"id": "57315"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"db": "VULHUB",
"id": "VHN-59721"
},
{
"db": "BID",
"id": "57315"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-01-17T00:00:00",
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"date": "2013-01-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"date": "2013-01-24T00:00:00",
"db": "VULHUB",
"id": "VHN-59721"
},
{
"date": "2013-01-11T00:00:00",
"db": "BID",
"id": "57315"
},
{
"date": "2013-01-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"date": "2013-01-24T21:55:01.697000",
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"date": "2013-01-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-05-25T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-00292"
},
{
"date": "2013-01-25T00:00:00",
"db": "VULHUB",
"id": "VHN-59721"
},
{
"date": "2013-01-11T00:00:00",
"db": "BID",
"id": "57315"
},
{
"date": "2013-01-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-001268"
},
{
"date": "2013-01-25T16:31:13.460000",
"db": "NVD",
"id": "CVE-2012-6440"
},
{
"date": "2013-01-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Rockwell Automation ControlLogix Replay Vulnerability",
"sources": [
{
"db": "IVD",
"id": "207536e4-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2013-00292"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201301-461"
}
],
"trust": 0.6
}
}
FKIE_CVE-2012-6440
Vulnerability from fkie_nvd - Published: 2013-01-24 21:55 - Updated: 2025-06-30 22:15
Severity ?
Summary
The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37F4D4ED-1915-4155-9F0A-691771AA534B",
"versionEndIncluding": "20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F8B5EE-C1BA-4CFB-B17F-C59BCDB41503",
"versionEndIncluding": "20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE554CCC-0A46-43D4-8D7D-44200BB7D314",
"versionEndIncluding": "1100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D3B4218-4483-4FAE-9915-8937F40AED27",
"versionEndIncluding": "1400",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE7219A5-4759-4143-B89F-869D49CAAFF7",
"versionEndIncluding": "19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*",
"matchCriteriaId": "330E9A05-C869-41B1-BB28-FD2A7C7ED0CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2AD7D5DB-4A49-421A-8C6C-B9E6DA0A499B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD44B55C-BDD7-41CC-91A9-F31ED2FC69E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C91D5245-DED2-469C-A800-62109F8159C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0BD25E6B-6AE1-4B8C-A086-F5E152CAAA60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA199887-E8F7-48EE-B1E0-9EF2E439DACE",
"versionEndIncluding": "18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A763D845-B091-47A4-8A29-A1CD19C1E4F2",
"versionEndIncluding": "19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "19B8ED27-2512-4A42-973C-99D300963046",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFC590C-01C1-48D1-A5BE-0F70BE7F36B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FE24B9B-9F7D-4D8F-A674-F04FC9F9F8BC",
"versionEndIncluding": "18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*",
"matchCriteriaId": "887A3369-548C-42B0-82C5-92CB161D3B7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E98626DD-BC79-473E-B25F-92C9BA12F6DD",
"versionEndIncluding": "18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D83AF504-2845-4022-BA8E-52F4FB773EA4",
"versionEndIncluding": "18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
},
{
"lang": "es",
"value": "La funcionalidad de autenticaci\u00f3n web-server en los productos Rockwell Automation EtherNet/IP; m\u00f3dulos de comunicaci\u00f3n 1756-ENBT, 1756-EWEB, 1768-ENBT, y 1768-EWEB; controlodares CompactLogix L32E y L35E; adaptador 1788-ENBT FLEXLogix; adaptador 1794-AENTR FLEX I/O EtherNet/IP; ControlLogix 18 y anteriores; CompactLogix 18 y anteriores; GuardLogix 18 y anteriores; SoftLogix 18 y anteriores; controladores CompactLogix 19 y anteriores; controladores SoftLogix 19 y anteriores; controladores ControlLogix 20 y anteriores; controladores GuardLogix 20 y anteriores; MicroLogix 1100 y 1400 permiten ataques man-in-the-middle conducir ataques de repetici\u00f3n por tr\u00e1fico HTTP."
}
],
"id": "CVE-2012-6440",
"lastModified": "2025-06-30T22:15:29.253",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary",
"userInteractionRequired": true
},
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-01-24T21:55:01.697",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
GHSA-C3P8-QP2X-9XXF
Vulnerability from github – Published: 2022-05-17 05:16 – Updated: 2025-07-01 00:30
VLAI?
Details
The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.
{
"affected": [],
"aliases": [
"CVE-2012-6440"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-24T21:55:00Z",
"severity": "HIGH"
},
"details": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.",
"id": "GHSA-c3p8-qp2x-9xxf",
"modified": "2025-07-01T00:30:32Z",
"published": "2022-05-17T05:16:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6440"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"type": "WEB",
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
ICSA-13-011-03
Vulnerability from csaf_cisa - Published: 2013-10-15 06:00 - Updated: 2025-06-06 22:38Summary
Rockwell Automation ControlLogix PLC Vulnerabilities
Notes
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Recommended Practices: CISA recommends users take defensive measures to minimize the risk of exploitation.
Recommended Practices: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Recommended Practices: Locate control system networks and remote devices behind firewalls and isolating them from business networks.
Recommended Practices: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices: CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
8.5 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
7.8 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
7.8 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
5.0 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
7.8 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
7.8 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
9.3 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
10.0 ()
Mitigation
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
Mitigation
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
https://rockwellautomation.custhelp.com/app/answe…
Mitigation
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
http://rockwellautomation.custhelp.com/app/answer…
Mitigation
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
Mitigation
To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
Mitigation
To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
Mitigation
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
Mitigation
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
Mitigation
To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
Mitigation
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.
http://www.ab.com/networks/architectures.html
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-13-011-03 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2013/icsa-13-011-03.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-13-011-03 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
}
],
"title": "Rockwell Automation ControlLogix PLC Vulnerabilities",
"tracking": {
"current_release_date": "2025-06-06T22:38:48.956870Z",
"generator": {
"date": "2025-06-06T22:38:48.956764Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-13-011-03",
"initial_release_date": "2013-10-15T06:00:00.000000Z",
"revision_history": [
{
"date": "2013-10-15T06:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "Initial Publication"
},
{
"date": "2025-06-06T22:38:48.956870Z",
"legacy_version": "CSAF Conversion",
"number": "2",
"summary": "Advisory converted into a CSAF"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation EtherNet/IP products that conform to the CIP and EtherNet/IP specifications: vers:all/*",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "EtherNet/IP products that conform to the CIP and EtherNet/IP specifications"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation 1756-ENBT: vers:all/*",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "1756-ENBT"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation 1756-EWEB: vers:all/*",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "1756-EWEB"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation 1768-ENBT: vers:all/*",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "1768-ENBT"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation 1768-EWEB: vers:all/*",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "1768-EWEB"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation CompactLogix L32E and L35E controllers: vers:all/*",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "CompactLogix L32E and L35E controllers"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation 1788-ENBT FLEXLogix adapter: vers:all/*",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "1788-ENBT FLEXLogix adapter"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation 1794-AENTR FLEX I/O EtherNet/IP adapter: vers:all/*",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "1794-AENTR FLEX I/O EtherNet/IP adapter"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation ControlLogix: vers:all/*",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "ControlLogix"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation CompactLogix: vers:all/*",
"product_id": "CSAFPID-0010"
}
}
],
"category": "product_name",
"name": "CompactLogix"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation GuardLogix: vers:all/*",
"product_id": "CSAFPID-0011"
}
}
],
"category": "product_name",
"name": "GuardLogix"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=18",
"product": {
"name": "Rockwell Automation SoftLogix: \u003c=18",
"product_id": "CSAFPID-0012"
}
}
],
"category": "product_name",
"name": "SoftLogix"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=19",
"product": {
"name": "Rockwell Automation CompactLogix and SoftLogix controllers: \u003c=19",
"product_id": "CSAFPID-0013"
}
}
],
"category": "product_name",
"name": "CompactLogix and SoftLogix controllers"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=20",
"product": {
"name": "Rockwell Automation ControlLogix and GuardLogix controllers: \u003c=20",
"product_id": "CSAFPID-0014"
}
}
],
"category": "product_name",
"name": "ControlLogix and GuardLogix controllers"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation MicroLogix 1100: vers:all/*",
"product_id": "CSAFPID-0015"
}
}
],
"category": "product_name",
"name": "MicroLogix 1100"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Rockwell Automation MicroLogix 1400: vers:all/*",
"product_id": "CSAFPID-0016"
}
}
],
"category": "product_name",
"name": "MicroLogix 1400"
}
],
"category": "vendor",
"name": "Rockwell Automation"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6439",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 8.5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6442",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that specifies a reset.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 7.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6435",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that specifies a logic-execution stop and fault.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 7.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6441",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to obtain sensitive information via a crafted CIP packet.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 5.0,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6438",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows remote attackers to cause a denial of service (NIC crash and communication outage) via a malformed CIP packet.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 7.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6436",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows remote attackers to cause a denial of service (CPU crash and communication outage) via a malformed CIP packet.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 7.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6440",
"cwe": {
"id": "CWE-294",
"name": "Authentication Bypass by Capture-replay"
},
"notes": [
{
"category": "summary",
"text": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 9.3,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
},
{
"cve": "CVE-2012-6437",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 do not properly perform authentication for Ethernet firmware updates, which allows remote attackers to execute arbitrary code via a Trojan horse update image.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
"remediations": [
{
"category": "mitigation",
"details": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"category": "mitigation",
"details": "(https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"category": "mitigation",
"details": "For more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"category": "mitigation",
"details": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
},
{
"category": "mitigation",
"details": "In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
],
"url": "http://www.ab.com/networks/architectures.html"
}
],
"scores": [
{
"cvss_v2": {
"baseScore": 10.0,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-0010",
"CSAFPID-0011",
"CSAFPID-0012",
"CSAFPID-0013",
"CSAFPID-0014",
"CSAFPID-0015",
"CSAFPID-0016"
]
}
]
}
]
}
GSD-2012-6440
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-6440",
"description": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.",
"id": "GSD-2012-6440"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2012-6440"
],
"details": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.",
"id": "GSD-2012-6440",
"modified": "2023-12-13T01:20:17.361157Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6440",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "20",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1100",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "19",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "19",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "20",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1400",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6440"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"tags": [
"US Government Resource"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2013-01-25T16:31Z",
"publishedDate": "2013-01-24T21:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…