ID OT_500254.NASL Type nessus Reporter This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2019-11-08T00:00:00
Description
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters.
File data ot_500254.nasl
{"id": "OT_500254.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "Rockwellautomation Controllogix Unspecified Vulnerability", "description": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters.", "published": "2019-11-08T00:00:00", "modified": "2019-11-08T00:00:00", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:C"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/ot/500254", "reporter": "This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6439", "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"], "cvelist": ["CVE-2012-6439"], "immutableFields": [], "lastseen": "2021-09-08T00:13:32", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-6439"]}, {"type": "ics", "idList": ["ICSA-13-011-03"]}, {"type": "nessus", "idList": ["SCADA_AB_MICROLOGIX_1400.NBIN", "SCADA_ROCKWELL_MICROLOGIX_1100_PLC_DOS_470154.NBIN", "TENABLE_OT_ROCKWELL_CVE-2012-6439.NASL"]}], "rev": 4}, "score": {"value": 8.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-6439"]}, {"type": "ics", "idList": ["ICSA-13-011-03"]}, {"type": "nessus", "idList": ["SCADA_AB_MICROLOGIX_1400.NBIN"]}]}, "exploitation": null, "vulnersScore": 8.6}, "pluginID": "500254", "sourceData": "File data ot_500254.nasl", "naslFamily": "SCADA", "cpe": ["cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*"], "solution": "Refer to vendor advisory for Security Updates", "nessusSeverity": "High", "cvssScoreSource": "CVE-2012-6439", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2013-01-24T00:00:00", "vulnerabilityPublicationDate": "2013-01-24T00:00:00", "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 0}}
{"nessus": [{"lastseen": "2022-02-10T00:00:00", "description": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules;\nCompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter;\nControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier;\nCompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier;\nGuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters.\nThis plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.", "cvss3": {"score": null, "vector": null}, "published": "2022-02-07T00:00:00", "type": "nessus", "title": "Rockwell (CVE-2012-6439)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-6439"], "modified": "2022-02-07T00:00:00", "cpe": ["cpe:/h:rockwellautomation:1768-eweb:-", "cpe:/h:rockwellautomation:compactlogix_l35e_controller:-", "cpe:/h:rockwellautomation:compactlogix_l32e_controller:-", "cpe:/h:rockwellautomation:flexlogix_1788-enbt_adapter:-", "cpe:/h:rockwellautomation:1756-eweb:-", "cpe:/h:rockwellautomation:controllogix", "cpe:/h:rockwellautomation:guardlogix", "cpe:/a:rockwellautomation:micrologix", "cpe:/h:rockwellautomation:compactlogix_controllers", "cpe:/a:rockwellautomation:softlogix_controllers", "cpe:/a:rockwellautomation:controllogix_controllers", "cpe:/a:rockwellautomation:guardlogix_controllers", "cpe:/h:rockwellautomation:1756-enbt:-", "cpe:/h:rockwellautomation:1768-enbt:-", "cpe:/h:rockwellautomation:1794-aentr_flex_i%2fo_ethernet%2fip_adapter:-", "cpe:/h:rockwellautomation:compactlogix", "cpe:/h:rockwellautomation:softlogix"], "id": "TENABLE_OT_ROCKWELL_CVE-2012-6439.NASL", "href": "https://www.tenable.com/plugins/ot/500254", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(500254);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/07\");\n\n script_cve_id(\"CVE-2012-6439\");\n\n script_name(english:\"Rockwell (CVE-2012-6439)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OT asset is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules;\nCompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter;\nControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier;\nCompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier;\nGuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service\n(control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters.\nThis plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-6439\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:1768-eweb:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:compactlogix_l35e_controller:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:compactlogix_l32e_controller:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:flexlogix_1788-enbt_adapter:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:1756-eweb:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:controllogix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:guardlogix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:rockwellautomation:micrologix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:compactlogix_controllers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:rockwellautomation:softlogix_controllers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:rockwellautomation:controllogix_controllers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:rockwellautomation:guardlogix_controllers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:1756-enbt:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:1768-enbt:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:1794-aentr_flex_i%2fo_ethernet%2fip_adapter:-\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:compactlogix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:rockwellautomation:softlogix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Tenable.ot\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tenable_ot_api_integration.nasl\");\n script_require_keys(\"Tenable.ot/Rockwell\");\n\n exit(0);\n}\n\n\ninclude('tenable_ot_cve_funcs.inc');\n\nget_kb_item_or_exit('Tenable.ot/Rockwell');\n\nvar asset = tenable_ot::assets::get(vendor:'Rockwell');\n\nvar vuln_cpes = {\n \"cpe:/h:rockwellautomation:1768-eweb:-\" : {},\n \"cpe:/h:rockwellautomation:compactlogix_l35e_controller:-\" : {},\n \"cpe:/h:rockwellautomation:compactlogix_l32e_controller:-\" : {},\n \"cpe:/h:rockwellautomation:flexlogix_1788-enbt_adapter:-\" : {},\n \"cpe:/h:rockwellautomation:1756-eweb:-\" : {},\n \"cpe:/h:rockwellautomation:controllogix\" :\n {\"versionEndIncluding\" : \"18\"},\n \"cpe:/h:rockwellautomation:guardlogix\" :\n {\"versionEndIncluding\" : \"18\"},\n \"cpe:/a:rockwellautomation:micrologix:1100\" : {},\n \"cpe:/a:rockwellautomation:micrologix:1400\" : {},\n \"cpe:/h:rockwellautomation:compactlogix_controllers\" :\n {\"versionEndIncluding\" : \"19\"},\n \"cpe:/a:rockwellautomation:softlogix_controllers\" :\n {\"versionEndIncluding\" : \"19\"},\n \"cpe:/a:rockwellautomation:controllogix_controllers\" :\n {\"versionEndIncluding\" : \"20\"},\n \"cpe:/a:rockwellautomation:guardlogix_controllers\" :\n {\"versionEndIncluding\" : \"20\"},\n \"cpe:/h:rockwellautomation:1756-enbt:-\" : {},\n \"cpe:/h:rockwellautomation:1768-enbt:-\" : {},\n \"cpe:/h:rockwellautomation:1794-aentr_flex_i%2fo_ethernet%2fip_adapter:-\" : {},\n \"cpe:/h:rockwellautomation:compactlogix\" :\n {\"versionEndIncluding\" : \"18\"},\n \"cpe:/h:rockwellautomation:softlogix\" :\n {\"versionEndIncluding\" : \"18\"}\n};\n\ntenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2022-03-27T15:04:00", "description": "The Rockwell Automation MicroLogix 1100 PLC integrated web server has a firmware version that is prior to Series B FRN 13.0. It is, therefore, affected by multiple vulnerabilities :\n\n - An improper access control vulnerability exists when sending a 'stop' command, which causes a denial of service condition leaving the device in an unresponsive state, resulting in a loss of availability for any device connected to the MicroLogix 1100 PLC.\n (CVE-2012-6435)\n\n - An improper validation vulnerability exists when the device attempts to parse a CIP packet sent to affected ports, which causes a buffer overflow that crashes the device's CPU, resulting in a loss of availability for any device connected to the MicroLogix 1100 PLC.\n (CVE-2012-6436)\n\n - An improper authentication vulnerability exists in the module providing source and data authentication, which can allow a remote attacker to upload an arbitrary firmware image to the ethernet card, resulting in the execution of code or causing a denial of service and a loss of availability for any device connected to the MicroLogix 1100 PLC. (CVE-2012-6437)\n\n - An improper validation vulnerability exists when the device attempts to parse a malformed CIP packet, which causes an overflow condition in the network interface card (NIC), resulting in a denial of service condition and a loss of availability for any device connected to the MicroLogix 1100 PLC. (CVE-2012-6438)\n\n - An improper access control vulnerability exists when parsing a CIP message that changes the device's network or configuration parameters, resulting in a denial of service condition and a loss of communication for any device connected to the MicroLogix 1100 PLC.\n (CVE-2012-6439)\n\n - An information exposure vulnerability exists when sending a 'dump' command, which results in the improper disclosure of boot code information from the MicroLogix 1100 PLC. (CVE-2012-6441)\n\n - An improper access control vulnerability exists when sending a 'reset' command, which causes a denial of service condition leaving the device in an unresponsive state, resulting in a loss of availability for any device connected to the MicroLogix 1100 PLC.\n (CVE-2012-6442)", "cvss3": {"score": null, "vector": null}, "published": "2015-07-07T00:00:00", "type": "nessus", "title": "Rockwell Automation MicroLogix 1100 PLC < Series B FRN 13.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-6435", "CVE-2012-6436", "CVE-2012-6437", "CVE-2012-6438", "CVE-2012-6439", "CVE-2012-6441", "CVE-2012-6442"], "modified": "2022-02-14T00:00:00", "cpe": ["cpe:/a:rockwellautomation:micrologix:1100"], "id": "SCADA_ROCKWELL_MICROLOGIX_1100_PLC_DOS_470154.NBIN", "href": "https://www.tenable.com/plugins/nessus/84567", "sourceData": "Binary data scada_rockwell_micrologix_1100_plc_dos_470154.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T14:56:41", "description": "The installed firmware on the remote Allen-Bradley MicroLogix 1400 controller is affected by multiple vulnerabilities :\n\n - A flaw exists when handling messages that modify specific bits in status files. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-4690)\n\n - A flaw exists in the Ethernet/IP protocol implementation when handling a CIP message that specifies a logic-execution 'stop' command. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition.\n (CVE-2012-6435)\n\n - A buffer overflow condition exists due to improper validation of user-supplied input when parsing CIP packets. An unauthenticated, remote attacker can exploit this, via a malformed packet, to cause a denial of service condition. (CVE-2012-6436, CVE-2012-6438)\n\n - A flaw exists due to a failure to properly authenticate Ethernet firmware updates. An unauthenticated, remote attacker can exploit this, via a trojan horse update image, to execute arbitrary code. (CVE-2012-6437)\n\n - A flaw exists when handling CIP messages that modify network and configuration parameters. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-6439)\n\n - A flaw exists due to a failure to properly restrict session replaying. A man-in-the-middle attacker can exploit this, via HTTP traffic, to conduct a replay attack. (CVE-2012-6440)\n\n - An information disclosure vulnerability exists in the Ethernet/IP protocol implementation when handling the 'dump' command. An unauthenticated, remote attacker can exploit this, via a specially crafted CIP packet, to disclose the boot code of the device. (CVE-2012-6441)\n\n - A flaw exists in the Ethernet/IP protocol implementation when handling a CIP message that specifies a 'reset' command. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-6442)\n\nNote that Nessus has not tested for these issues but has instead relied only on the firmware's self-reported version number.", "cvss3": {"score": null, "vector": null}, "published": "2016-05-27T00:00:00", "type": "nessus", "title": "Allen-Bradley MicroLogix 1400 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4690", "CVE-2012-6435", "CVE-2012-6436", "CVE-2012-6437", "CVE-2012-6438", "CVE-2012-6439", "CVE-2012-6440", "CVE-2012-6441", "CVE-2012-6442"], "modified": "2022-02-14T00:00:00", "cpe": ["cpe:/h:rockwellautomation:ab_micrologix_controller:1400"], "id": "SCADA_AB_MICROLOGIX_1400.NBIN", "href": "https://www.tenable.com/plugins/nessus/91345", "sourceData": "Binary data scada_AB_micrologix_1400.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:50:23", "description": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters.", "cvss3": {}, "published": "2013-01-24T21:55:00", "type": "cve", "title": "CVE-2012-6439", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6439"], "modified": "2013-01-25T16:29:00", "cpe": ["cpe:/h:rockwellautomation:1768-eweb:-", "cpe:/h:rockwellautomation:compactlogix:18", "cpe:/h:rockwellautomation:1756-eweb:-", "cpe:/h:rockwellautomation:compactlogix_controllers:19", "cpe:/h:rockwellautomation:guardlogix:18", "cpe:/a:rockwellautomation:guardlogix_controllers:20", "cpe:/h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-", "cpe:/h:rockwellautomation:softlogix:18", "cpe:/a:rockwellautomation:softlogix_controllers:19", "cpe:/h:rockwellautomation:1768-enbt:-", "cpe:/a:rockwellautomation:micrologix:1100", "cpe:/h:rockwellautomation:compactlogix_l35e_controller:-", "cpe:/h:rockwellautomation:compactlogix_l32e_controller:-", "cpe:/a:rockwellautomation:controllogix_controllers:20", "cpe:/h:rockwellautomation:controllogix:18", "cpe:/a:rockwellautomation:micrologix:1400", "cpe:/h:rockwellautomation:flexlogix_1788-enbt_adapter:-", "cpe:/h:rockwellautomation:1756-enbt:-"], "id": "CVE-2012-6439", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6439", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:C"}, "cpe23": ["cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix:18:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:controllogix_controllers:20:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix_controllers:19:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:micrologix:1100:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:softlogix_controllers:19:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:guardlogix_controllers:20:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:controllogix:18:*:*:*:*:*:*:*", "cpe:2.3:a:rockwellautomation:micrologix:1400:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:softlogix:18:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:guardlogix:18:*:*:*:*:*:*:*", "cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*"]}], "ics": [{"lastseen": "2022-04-26T22:35:48", "description": "## Overview\n\nThis advisory is a follow up to the original alert titled ICS-ALERT-12-020-02A\u2014Rockwell Automation ControlLogix PLC Vulnerabilities that was published February 14, 2012, on the ICS-CERT Web page.\n\nIndependent researcher Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012. The vulnerabilities are exploitable by transmitting arbitrary commands from a control interface to the programmable logic controller (PLC) or network interface card (NIC). The information was released without coordination with either the vendor or ICS-CERT. Rockwell Automation released firmware patches on July 18, 2012, that resolve the following vulnerabilities. There have been no updates from Rockwell since these patches were released. Exploitation of these vulnerabilities could allow loss of confidentiality, integrity, and availability of the device.\n\nThese vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.\n\n## Affected Products\n\nThe following Rockwell products are affected:\n\n * All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications,\n * 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules,\n * CompactLogix L32E and L35E controllers,\n * 1788-ENBT FLEXLogix adapter,\n * 1794-AENTR FLEX I/O EtherNet/IP adapter,\n * ControlLogix, CompactLogix, GuardLogix, and SoftLogix, Version 18 and prior,\n * CompactLogix and SoftLogix controllers, Version 19 and prior,\n * ControlLogix and GuardLogix controllers, Version 20 and prior,\n * MicroLogix 1100, and\n * MicroLogix 1400.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities may result in a denial-of-service (DoS) condition, controller fault, or enable a Man-in-the-Middle (MitM) attack, or Replay attack.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## Background\n\nRockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.\n\nThe affected products are PLCs and communication modules. According to Rockwell Automation, these products are deployed across several sectors including agriculture and food, water, chemical, manufacturing and others. According to Rockwell\u2019s Web site, these products are used in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.\n\n## Vulnerability Characterization\n\n### Vulnerability Overview\n\n#### [Improper Access Control\u2014Change IP](<http://cwe.mitre.org/data/definitions/284.html>)\n\nWhen an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that changes the product\u2019s configuration and network parameters, a DoS condition can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\n\n[CVE-2012-6439](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6439>) has been assigned to this vulnerability. A CVSS v2 base score of 8.5 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:P/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:C>).\n\n#### [Improper Access Control\u2014Reset](<http://cwe.mitre.org/data/definitions/284.html>)\n\nWhen an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\n\nThis vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.\n\n[CVE-2012-6442 ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6442>)has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C>).\n\n#### [Improper Access Control\u2014Stop](<http://cwe.mitre.org/data/definitions/284.html>)\n\nWhen an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\n\n[CVE-2012-6435](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6435>) has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](<http://nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C>).\n\n#### [Information Exposure](<http://cwe.mitre.org/data/definitions/200.html>)\n\nAn information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality.\n\nThis vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.\n\n[CVE-2012-6441](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6441>) has been assigned to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:P/I:N/A:N)](<http://nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N>).\n\n#### [Improper Input Validation\u2014NIC](<http://cwe.mitre.org/data/definitions/20.html>)\n\nThe device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\n\n[CVE-2012-6438](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6438>) has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C>).\n\n#### [Improper Input Validation\u2014CPU](<http://cwe.mitre.org/data/definitions/20.html>)\n\nThe device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\n\n[CVE-2012-6436](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6436>) has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](<http://nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C>).\n\n#### [Authentication Bypass by Capture\u2014Replay](<http://cwe.mitre.org/data/definitions/294.html>)\n\nThe Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\n\nhis vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.\n\n[CVE-2012-6440](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6440>) has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is [(AV:N/AC:M/Au:N/C:C/I:C/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C>).\n\n#### [Improper Authentication\u2014Firmware Upload](<http://cwe.mitre.org/data/definitions/284.html>)\n\nThe device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices.\n\n[CVE-2012-6437](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6437>) has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:C/I:C/A:C)](<http://nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C>).\n\n### Vulnerability Details\n\n#### Exploitability\n\nThese vulnerabilities could be exploited remotely.\n\n#### Existence of Exploit\n\nExploits that target these vulnerabilities are publicly available.\n\n#### Difficulty\n\nAn attacker with a low-medium skill would be able to exploit these vulnerabilities.\n\n## Mitigation\n\nAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154> \n<https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155> \n<https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156>\n\nFor more information on security with Rockwell Automation products, please refer to [Rockwell\u2019s Security Advisory Index](<http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102>).\n\nRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n 1. Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n 2. Employ a UTM appliance that specifically supports CIP message filtering.\n\nTo mitigate the vulnerability pertaining to the corrupted firmware update:\n\n 1. At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware.\n 2. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.\n\nTo mitigate receiving malformed CIP packets that can cause the controller to enter a fault state:\n\n 1. Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.\n\nTo mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state:\n\n 1. Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher.\n 2. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher.\n 3. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above.\n 4. Employ a UTM as directed above.\n\nTo mitigate the vulnerability with the Web server password authentication mechanism:\n\n 1. Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.\n 2. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\n 3. Where possible, disable the Web server and change all default Administrator and Guest passwords.\n 4. If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as:\n 1. When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\n 2. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\n 5. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n 1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n 2. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n 3. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n 4. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n 5. Make sure that software and control system device firmware is patched to current releases.\n 6. Periodically change passwords in control system components and infrastructure devices.\n 7. Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B\u2014Targeted Cyber Intrusion Detection and Mitigation Strategies.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-13-011-03>); we'd welcome your feedback.\n", "cvss3": {}, "published": "2013-01-10T00:00:00", "type": "ics", "title": "Rockwell Automation ControlLogix PLC Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6435", "CVE-2012-6436", "CVE-2012-6437", "CVE-2012-6438", "CVE-2012-6439", "CVE-2012-6440", "CVE-2012-6441", "CVE-2012-6442"], "modified": "2019-02-13T00:00:00", "id": "ICSA-13-011-03", "href": "https://www.us-cert.gov/ics/advisories/ICSA-13-011-03", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
