Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_ROCKWELL_CVE-2016-9343.NASL
HistoryFeb 07, 2022 - 12:00 a.m.

Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow (CVE-2016-9343)

2022-02-0700:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
57

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON

An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500092);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/30");

  script_cve_id("CVE-2016-9343");

  script_name(english:"Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow (CVE-2016-9343)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An issue was discovered in Rockwell Automation Logix5000 Programmable
Automation Controller FRN 16.00 through 21.00 (excluding all firmware
versions prior to FRN 16.00, which are not affected). By sending
malformed common industrial protocol (CIP) packet, an attacker may be
able to overflow a stack-based buffer and execute code on the
controller or initiate a nonrecoverable fault resulting in a denial of
service.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-16-343-05");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/95304");
  # https://www.rockwellautomation.com/en-us/support/advisory.PN950.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6442c056");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Rockwell Automation has released new firmware versions to mitigate the identified vulnerability in the affected
Logix5000 Controllers, with the exception of the FlexLogix controller, which has been discontinued and is no longer
supported.

Rockwell Automation encourages users to install the new firmware version listed below (Catalog Numbers, “CN”, in
parenthesis):

- DriveLogix 5730 (Embedded Controller Option with PowerFlex 700S) v16.23 (Catalog numbers beginning with 20D with a “K”
or “L” in the 17th position);
- DriveLogix 5730 (Embedded Controller Option with PowerFlex 700S) v17.05 (Catalog numbers beginning with 20D with a “K”
or “L” in the 17th position);

For more information about these catalog numbers, see Page 10 of the PowerFlex 700S Drives with Phase II Control
Technical Data document.

- SoftLogix 5800 v23.00 and above (CN 1789-Lx);
- RSLogix Emulate 5000 v23.00 and above (CN 9310-Wx);
- ControlLogix L55 v16.023 and above (CN 1756-L55x);
- ControlLogix 5560 v16.023 and above (CN 1756-L6);
- ControlLogix 5560 v20.014 and above (CN 1756-L6);
- ControlLogix 5570 v20.014 and above (CN 1756-L7);
- ControlLogix 5570 v23.012 and above (CN 1756-L7);
- ControlLogix 5570 v24 and above (CN 1756-L7);
- ControlLogix 5560 Redundant v20.056 and above (CN 1756-L6);
- ControlLogix 5570 Redundant v20.056 and above (CN 1756-L7);
- ControlLogix 5570 Redundant v24.052 and above (CN 1756-L7);
- CompactLogix L23x and L3x v20.014 and above (CN 1769-L23, 1769-L31, 1769-L32, 1769-L35);
- CompactLogix 5370 L1, L2, and L3 Controllers v20.014 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix 5370 L1, L2, and L3 Controllers v23.012 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix 5370 L1, L2, and L3 Controllers v24 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix L4x v16.026 (Series A, B, and C) and v16.027 and above (Series D) (CN 1768-L4x);
- CompactLogix L4x v20.014 and above (Series A, B, and C) and v20.016 and above (Series D) (CN 1768-L4x);
- Compact GuardLogix L4xS v20.018 and above (CN 1768-L4xS);
- GuardLogix 5560 v20.018 and above (CN 1756-L6S);
- GuardLogix 5570 v20.018 and above (CN 1756-L7S);
- GuardLogix 5570 v23.012 and above (CN 1756-L7S); and
- GuardLogix 5570 v24 and above (CN 1756-L7S).

Rockwell Automation’s new firmware versions are available at the following URL:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx 

Rockwell Automation’s security notification is available at the following URL, with a valid account:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/970074 

Rockwell Automation recommends that users apply additional precautions and risk mitigation strategies to this type of
attack, when possible, which could include the following:

- Use proper network infrastructure controls, such as firewalls, to help confirm that requests from unauthorized sources
are blocked.
- Block all traffic to affected devices from outside the Manufacturing Zone by blocking or restricting access to Port
2222 TCP/UDP and Port 44818 TCP/UDP, using network infrastructure controls, such as firewalls, or other security
appliances.
- When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program in order to prevent other
disruptive changes to the system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9343");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(787);

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_l55_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5560_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5570_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:flexlogix_l34_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:softlogix_5800_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Rockwell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Rockwell');

var asset = tenable_ot::assets::get(vendor:'Rockwell');

var vuln_cpes = {
    "cpe:/o:rockwellautomation:controllogix_l55_controller_firmware:16" :
        {"versionEndIncluding" : "16.022", "versionStartIncluding" : "16.020", "family" : "ControlLogix"},
    "cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware:16" :
        {"versionEndIncluding" : "16.999", "versionStartIncluding" : "16.000", "family" : "ControlLogix5560"},
    "cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware:19" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "19.000", "family" : "ControlLogix5560"},
    "cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware:20" :
        {"versionEndIncluding" : "20.055", "versionStartIncluding" : "20.050", "family" : "ControlLogix5560"},
    "cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware:20" :
        {"versionEndIncluding" : "20.055", "versionStartIncluding" : "20.050", "family" : "ControlLogix5570"},
    "cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware:21" :
        {"versionEndIncluding" : "24.051", "versionStartIncluding" : "21.000", "family" : "ControlLogix5570"},
    "cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware:16" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "16.000", "family" : "GuardLogix5560"},
    "cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware:20" :
        {"versionEndIncluding" : "20.017", "versionStartIncluding" : "20.010", "family" : "GuardLogix5560"},
    "cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware:20" :
        {"versionEndIncluding" : "20.017", "versionStartIncluding" : "20.010", "family" : "GuardLogix5570"},
    "cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware:21" :
        {"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "GuardLogix5570"},
    "cpe:/o:rockwellautomation:controllogix_5560_controller_firmware:16" :
        {"versionEndIncluding" : "16.022", "versionStartIncluding" : "16.020", "family" : "ControlLogix5560"},
    "cpe:/o:rockwellautomation:controllogix_5560_controller_firmware:17" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "ControlLogix5560"},
    "cpe:/o:rockwellautomation:controllogix_5560_controller_firmware:20" :
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "ControlLogix5560"},
    "cpe:/o:rockwellautomation:controllogix_5570_controller_firmware:18" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "18.000", "family" : "ControlLogix5570"},
    "cpe:/o:rockwellautomation:controllogix_5570_controller_firmware:20" :
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "ControlLogix5570"},
    "cpe:/o:rockwellautomation:controllogix_5570_controller_firmware:21" :
        {"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "ControlLogix5570"},
    "cpe:/o:rockwellautomation:flexlogix_l34_controller_firmware:16" :
        {"versionEndIncluding" : "16.999", "versionStartIncluding" : "16.000", "family" : "FlexLogix"},
    "cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware:16" : 
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "16.000", "family" : "CompactLogix5320"},
    "cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware:20" : 
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5320"},
    "cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware:16" :
        {"versionEndIncluding" : "16.023", "versionStartIncluding" : "16.020", "family" : "CompactLogix"},
    "cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware:17" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "CompactLogix"},
    "cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware:20" :
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix"},
    "cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware:16" :
        {"versionEndIncluding" : "16.026", "versionStartIncluding" : "16.020", "family" : "CompactLogix5340"},
    "cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware:17" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "CompactLogix5340"},
    "cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware:20" :
        {"versionEndIncluding" : "20.015", "versionStartIncluding" : "20.011", "family" : "CompactLogix5340"},
    "cpe:/o:rockwellautomation:softlogix_5800_controller_firmware:17" :
        {"versionEndIncluding" : "22.999", "versionStartIncluding" : "17.000", "family" : "SoftLogix5800"},
    "cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware:17" :
        {"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "CompactLogix5340"},
    "cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware:20" :
        {"versionEndIncluding" : "20.017", "versionStartIncluding" : "20.011", "family" : "CompactLogix5340"},
    "cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware:20" :
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware:21" :
        {"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware:20" :
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware:21" :
        {"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware:20" :
        {"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware:21" :
        {"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "CompactLogix5370"},
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
VendorProductVersionCPE
rockwellautomationcontrollogix_l55_controller_firmwarecpe:/o:rockwellautomation:controllogix_l55_controller_firmware
rockwellautomationcontrollogix_5560_redundant_controller_firmwarecpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware
rockwellautomationcontrollogix_5570_redundant_controller_firmwarecpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware
rockwellautomationguardlogix_5560_controller_firmwarecpe:/o:rockwellautomation:guardlogix_5560_controller_firmware
rockwellautomationguardlogix_5570_controller_firmwarecpe:/o:rockwellautomation:guardlogix_5570_controller_firmware
rockwellautomationcontrollogix_5560_controller_firmwarecpe:/o:rockwellautomation:controllogix_5560_controller_firmware
rockwellautomationcontrollogix_5570_controller_firmwarecpe:/o:rockwellautomation:controllogix_5570_controller_firmware
rockwellautomationflexlogix_l34_controller_firmwarecpe:/o:rockwellautomation:flexlogix_l34_controller_firmware
rockwellautomation1769_compactlogix_l23x_controller_firmwarecpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware
rockwellautomation1769_compactlogix_l3x_controller_firmwarecpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware
Rows per page:
1-10 of 161

Related

cvelist 1
checkpoint_advisories 1
nvd 1
ics 2
prion 1
nessus 1
cve 1
cvelist
cvelist
CVE-2016-9343
2017-02-13 21:00:00
checkpoint_advisories
checkpoint_advisories
Rockwell Automation Logix Controller Stack Buffer Overflow (CVE-2016-9343)
2017-04-24 00:00:00
nvd
nvd
CVE-2016-9343
2017-02-13 21:59:01
ics
ics
Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability (Update A)
2017-01-05 00:00:00
Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability (Update B)
2018-09-18 12:00:00
prion
prion
Stack overflow
2017-02-13 21:59:00
nessus
nessus
Rockwell_automation Softlogix Improper Restriction of Operations within the Bounds of a Memory Buffer
2019-11-08 00:00:00
cve
cve
CVE-2016-9343
2017-02-13 21:59:01

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON
Related for TENABLE_OT_ROCKWELL_CVE-2016-9343.NASL
cvelist1checkpoint_advisories1nvd1ics2prion1nessus1cve1