github - ghsa-4874-wfww-j2mq

GHSA-4874-WFWW-J2MQ

Vulnerability from github – Published: 2022-05-17 05:16 – Updated: 2025-07-01 00:30

Details

Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows remote attackers to cause a denial of service (CPU crash and communication outage) via a malformed CIP packet.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2012-6436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-24T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows remote attackers to cause a denial of service (CPU crash and communication outage) via a malformed CIP packet.",
  "id": "GHSA-4874-wfww-j2mq",
  "modified": "2025-07-01T00:30:32Z",
  "published": "2022-05-17T05:16:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6436"
    },
    {
      "type": "WEB",
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
    },
    {
      "type": "WEB",
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
    },
    {
      "type": "WEB",
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
    },
    {
      "type": "WEB",
      "url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2012-6436 (GCVE-0-2012-6436)

Vulnerability from cvelistv5 – Published: 2013-01-24 21:00 – Updated: 2025-06-30 21:59

Summary

The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

Severity ?

No CVSS data available.

CWE

CWE-119

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	https://rockwellautomation.custhelp.com/app/answe…
	https://rockwellautomation.custhelp.com/app/answe…
	https://rockwellautomation.custhelp.com/app/answe…
	http://rockwellautomation.custhelp.com/app/answer…

Impacted products

Vendor

Product

Version

Rockwell Automation

1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules

Affected: All

Rockwell Automation	CompactLogix L32E and L35E controllers	Affected: All
Rockwell Automation	1788-ENBT FLEXLogix adapter	Affected: All
Rockwell Automation	1794-AENTR FLEX I/O EtherNet/IP adapter	Affected: All
Rockwell Automation	ControlLogix, CompactLogix, GuardLogix, and SoftLogix	Affected: 0 , ≤ 18 (custom)
Rockwell Automation	CompactLogix and SoftLogix controllers	Affected: 0 , ≤ 19 (custom)
Rockwell Automation	ControlLogix and GuardLogix controllers	Affected: 0 , ≤ 20 (custom)
Rockwell Automation	MicroLogix	Affected: 1100 Affected: 1400

Credits

Rubén Santamarta of IOActive identified vulnerabilities in Rockwell Automation’s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:28:39.998Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CompactLogix L32E and L35E controllers",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "1788-ENBT FLEXLogix adapter",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "lessThanOrEqual": "18",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CompactLogix and SoftLogix controllers",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "lessThanOrEqual": "19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ControlLogix and GuardLogix controllers",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "lessThanOrEqual": "20",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MicroLogix",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "1100"
            },
            {
              "status": "affected",
              "version": "1400"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\n\n\n\n\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-30T21:59:03.474Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
        },
        {
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
        },
        {
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
        },
        {
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
        },
        {
          "url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to  Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
        }
      ],
      "source": {
        "advisory": "ICSA-13-011-03",
        "discovery": "EXTERNAL"
      },
      "title": "Rockwell Automation ControlLogix PLC Improper Input Validation",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n  *  Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n  *  Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n  *  Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to  http://www.ab.com/networks/architectures.html  for comprehensive information about implementing validated architectures designed to deliver these measures.\n  *  Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n  *  Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n  *  Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n  *  Make sure that software and control system device firmware is patched to current releases.\n  *  Periodically change passwords in control system components and infrastructure devices.\n  *  Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to  Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2012-6439",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
              "refsource": "MISC",
              "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2012-6436",
    "datePublished": "2013-01-24T21:00:00Z",
    "dateReserved": "2012-12-26T00:00:00Z",
    "dateUpdated": "2025-06-30T21:59:03.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-4874-WFWW-J2MQ

CVE-2012-6436 (GCVE-0-2012-6436)

Tags

Sightings

Nomenclature