A remote, unauthenticated threat actor can repeatedly send specific CIP packets to an affected PowerFlex 525 drive, which may allow disruption of the availability of the device.
Rockwell Automation recommends the following general security guidelines:
Utilize proper network infrastructure controls, such as firewalls, to help ensure CIP messages from unauthorized sources are blocked.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818, using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270 (login required).
If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet or the business network.
When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Rockwell Automation has released a security advisory regarding this vulnerability, which can be found on its website at the following location (login required):
<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1082684>
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
No known public exploits specifically target this vulnerability.
Contact Information
For any questions related to this report, please contact the CISA at:
For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics
or incident reporting: https://us-cert.cisa.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.
{"id": "ICSA-19-087-01", "type": "ics", "bulletinFamily": "info", "title": "Rockwell Automation PowerFlex 525 AC Drives", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.5**\n\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor: **Rockwell Automation\n * **Equipment:** PowerFlex 525 AC Drives\n * **Vulnerability: **Resource Exhaustion\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could result in resource exhaustion, denial of service, and/or memory corruption.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of PowerFlex 525, an AC drive, are affected:\n\n * PowerFlex 525 AC Drives with embedded EtherNet/IP and Safety Versions 5.001 and earlier.\n\n### 3.2 VULNERABILITY OVERVIEW\n\n**3.2.1 [UNCONTROLLED RESOURCE CONSUMPTION ('RESOURCE EXHAUSTION') CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)**\n\nA remote, unauthenticated threat actor can repeatedly send specific CIP packets to an affected PowerFlex 525 drive, which may allow disruption of the availability of the device. \n\n[CVE-2018-19282](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** United States\n\n### 3.4 RESEARCHER\n\nNicolas Merle of Applied Risk reported this vulnerability to Rockwell Automation.\n\n## 4\\. MITIGATIONS\n\nRockwell Automation has released new firmware to address the vulnerability. Download the latest version of the firmware from:\n\n[https://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=25B&crumb=112](<https://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=25B&crumb=112>)\n\nRockwell Automation recommends the following general security guidelines:\n\n * Utilize proper network infrastructure controls, such as firewalls, to help ensure CIP messages from unauthorized sources are blocked.\n * Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818, using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID [898270](<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/898270/page/1>) (login required).\n * If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.\n * Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted websites and attachments.\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet or the business network.\n * When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nRockwell Automation has released a security advisory regarding this vulnerability, which can be found on its website at the following location (login required): \n<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1082684>\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-19-087-01>); we'd welcome your feedback.\n", "published": "2019-03-28T00:00:00", "modified": "2019-03-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.us-cert.gov/ics/advisories/ICSA-19-087-01", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-19-087-01", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-19-087-01", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2FICSA-19-087-01", "https://cwe.mitre.org/data/definitions/400.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "https://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=25B&crumb=112", "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/898270/page/1", "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1082684", "https://www.dhs.gov/privacy-policy", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-19-087-01", "http://twitter.com/icscert", "https://www.dhs.gov", "https://www.dhs.gov/freedom-information-act-foia", "https://www.dhs.gov/homeland-security-no-fear-act-reporting", "https://www.dhs.gov/plain-writing-dhs", "https://www.dhs.gov/plug-information", "https://www.oig.dhs.gov/", "https://www.whitehouse.gov/", "https://www.usa.gov/", "https://www.dhs.gov/"], "cvelist": ["CVE-2018-19282"], "lastseen": "2021-02-27T19:50:37", "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-19282"]}, {"type": "threatpost", "idList": ["THREATPOST:B956AABD7A9591A8F25851E15000B618"]}], "modified": "2021-02-27T19:50:37", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-02-27T19:50:37", "rev": 2}, "vulnersScore": 6.0}, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:34", "description": "Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common Industrial Protocol (CIP) network stack. The vulnerability allows the attacker to crash the CIP in a way that it does not accept new connections, but keeps the current connections active, which can prevent legitimate users from recovering control.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-04T21:29:00", "title": "CVE-2018-19282", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19282"], "modified": "2019-04-09T14:35:00", "cpe": ["cpe:/o:rockwellautomation:powerflex_525_ac_drives_firmware:5.001"], "id": "CVE-2018-19282", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:rockwellautomation:powerflex_525_ac_drives_firmware:5.001:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2020-03-08T12:00:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-19282", "CVE-2019-19781"], "description": "A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.\n\nThe vulnerability was identified in Rockwell Automation\u2019s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks.\n\nThe flaw, CVE-2018-19282, could be exploited to manipulate the drive\u2019s physical process and or stop it, according to researchers with Applied Risk who found it. The vulnerability has a CVSS score of 9.1, making it critical, according to researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis finding allows an attacker to crash the Common Industrial Protocol (CIP) in a way that it does not accept any new connection,\u201d Nicholas Merle, with Applied Risk, [wrote in a Thursday analysis](<https://applied-risk.com/application/files/4215/5385/2294/Advisory_AR2019004_Rockwell_Powerflex_525_Denial_of_Service.pdf>) (PDF). \u201cThe current connections however, are kept active, giving attackers complete control over the device.\u201d\n\nThe vulnerability is critical because it gives \u201ccomplete access to the device and DOS for the other users,\u201d an Applied Risk spokesperson told Threatpost. \u201cSo availability and integrity are impacted, with no confidentiality impact. Those are also the most important factors in OT environment.\u201d** **\n\nFor a variable frequency drive, which controls the speed of motors in a live production environment, that kind of shutdown could have a serious impact. There are no known public exploits that target this vulnerability, researchers said. Impacted were versions 5.001 and older for the software.\n\nTo exploit the vulnerability, a bad actor could send a precise sequence of packets effectively crashing the Common Industrial Protocol (the industrial protocol for industrial automation applications) network stack. An Applied Risk spokesperson told Threatpost that an attacker could be remote and wouldn\u2019t need to be authenticated.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/29091619/drive.png>)\n\nRockwell Automation Powerflex 525\n\nThis creates an error in the control and configuration software, which crashes. After it crashes, it is not possible to initiate a new connection to the device, effectively forbidding any legitimate user to recover control, researchers said.\n\nIf the attacker maintains the connection used to send the payload open, he can continue sending commands as long as the connection is not interrupted, and the only way to recover access to the device is to do a power reset, researchers said.** **\n\n\u201cSending a specific UDP packet, a definite amount of time corrupts the\u2026 daemon forbidding any new connection to be initiated and disconnecting the configuration and control software from Rockwell Automation,\u201d said researchers.\n\nThe flaw was first discovered July 30, 2018 and has since been patched. Rockwell Automation did not respond to a request for comment from Threatpost.\n\nVulnerabilities are particularly insidious when they impact industrial control systems because of the high-risk implications. According to a [U.S. Department of Homeland Security bulletin](<https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01>) the bug ([CVE-2018-19282)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282>) the vulnerability is a threat to U.S. critical infrastructure. Downtime for these systems could pose dire monetary \u2013 and in some cases even life-threatening \u2013 risks.\n\nRockwell Automation isn\u2019t the only industrial control system manufacturer facing security woes. In [February](<https://threatpost.com/siemens-critical-remote-code-execution/141768/>), Siemens released 16 security advisories for various industrial control and utility products, including a warning for a critical flaw in the WibuKey digital rights management (DRM) solution that affects the SICAM 230 process control system.\n\nAnd in August, [Schneider Electric](<https://threatpost.com/high-severity-flaws-patched-in-schneider-electric-products/137034/>) released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products.\n", "modified": "2019-03-29T14:13:54", "published": "2019-03-29T14:13:54", "id": "THREATPOST:B956AABD7A9591A8F25851E15000B618", "href": "https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/", "type": "threatpost", "title": "Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
