7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.7%
An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500092);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/30");
script_cve_id("CVE-2016-9343");
script_name(english:"Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow (CVE-2016-9343)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"An issue was discovered in Rockwell Automation Logix5000 Programmable
Automation Controller FRN 16.00 through 21.00 (excluding all firmware
versions prior to FRN 16.00, which are not affected). By sending
malformed common industrial protocol (CIP) packet, an attacker may be
able to overflow a stack-based buffer and execute code on the
controller or initiate a nonrecoverable fault resulting in a denial of
service.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-16-343-05");
script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/95304");
# https://www.rockwellautomation.com/en-us/support/advisory.PN950.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6442c056");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Rockwell Automation has released new firmware versions to mitigate the identified vulnerability in the affected
Logix5000 Controllers, with the exception of the FlexLogix controller, which has been discontinued and is no longer
supported.
Rockwell Automation encourages users to install the new firmware version listed below (Catalog Numbers, âCNâ, in
parenthesis):
- DriveLogix 5730 (Embedded Controller Option with PowerFlex 700S) v16.23 (Catalog numbers beginning with 20D with a âKâ
or âLâ in the 17th position);
- DriveLogix 5730 (Embedded Controller Option with PowerFlex 700S) v17.05 (Catalog numbers beginning with 20D with a âKâ
or âLâ in the 17th position);
For more information about these catalog numbers, see Page 10 of the PowerFlex 700S Drives with Phase II Control
Technical Data document.
- SoftLogix 5800 v23.00 and above (CN 1789-Lx);
- RSLogix Emulate 5000 v23.00 and above (CN 9310-Wx);
- ControlLogix L55 v16.023 and above (CN 1756-L55x);
- ControlLogix 5560 v16.023 and above (CN 1756-L6);
- ControlLogix 5560 v20.014 and above (CN 1756-L6);
- ControlLogix 5570 v20.014 and above (CN 1756-L7);
- ControlLogix 5570 v23.012 and above (CN 1756-L7);
- ControlLogix 5570 v24 and above (CN 1756-L7);
- ControlLogix 5560 Redundant v20.056 and above (CN 1756-L6);
- ControlLogix 5570 Redundant v20.056 and above (CN 1756-L7);
- ControlLogix 5570 Redundant v24.052 and above (CN 1756-L7);
- CompactLogix L23x and L3x v20.014 and above (CN 1769-L23, 1769-L31, 1769-L32, 1769-L35);
- CompactLogix 5370 L1, L2, and L3 Controllers v20.014 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix 5370 L1, L2, and L3 Controllers v23.012 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix 5370 L1, L2, and L3 Controllers v24 and above (CN 1769-L1, 1769-L2, and 1769-L3);
- CompactLogix L4x v16.026 (Series A, B, and C) and v16.027 and above (Series D) (CN 1768-L4x);
- CompactLogix L4x v20.014 and above (Series A, B, and C) and v20.016 and above (Series D) (CN 1768-L4x);
- Compact GuardLogix L4xS v20.018 and above (CN 1768-L4xS);
- GuardLogix 5560 v20.018 and above (CN 1756-L6S);
- GuardLogix 5570 v20.018 and above (CN 1756-L7S);
- GuardLogix 5570 v23.012 and above (CN 1756-L7S); and
- GuardLogix 5570 v24 and above (CN 1756-L7S).
Rockwell Automationâs new firmware versions are available at the following URL:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx
Rockwell Automationâs security notification is available at the following URL, with a valid account:
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/970074
Rockwell Automation recommends that users apply additional precautions and risk mitigation strategies to this type of
attack, when possible, which could include the following:
- Use proper network infrastructure controls, such as firewalls, to help confirm that requests from unauthorized sources
are blocked.
- Block all traffic to affected devices from outside the Manufacturing Zone by blocking or restricting access to Port
2222 TCP/UDP and Port 44818 TCP/UDP, using network infrastructure controls, such as firewalls, or other security
appliances.
- When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program in order to prevent other
disruptive changes to the system.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9343");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(787);
script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/13");
script_set_attribute(attribute:"patch_publication_date", value:"2017/02/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_l55_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5560_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5570_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:flexlogix_l34_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:softlogix_5800_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Rockwell");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Rockwell');
var asset = tenable_ot::assets::get(vendor:'Rockwell');
var vuln_cpes = {
"cpe:/o:rockwellautomation:controllogix_l55_controller_firmware:16" :
{"versionEndIncluding" : "16.022", "versionStartIncluding" : "16.020", "family" : "ControlLogix"},
"cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware:16" :
{"versionEndIncluding" : "16.999", "versionStartIncluding" : "16.000", "family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware:19" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "19.000", "family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware:20" :
{"versionEndIncluding" : "20.055", "versionStartIncluding" : "20.050", "family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware:20" :
{"versionEndIncluding" : "20.055", "versionStartIncluding" : "20.050", "family" : "ControlLogix5570"},
"cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware:21" :
{"versionEndIncluding" : "24.051", "versionStartIncluding" : "21.000", "family" : "ControlLogix5570"},
"cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware:16" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "16.000", "family" : "GuardLogix5560"},
"cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware:20" :
{"versionEndIncluding" : "20.017", "versionStartIncluding" : "20.010", "family" : "GuardLogix5560"},
"cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware:20" :
{"versionEndIncluding" : "20.017", "versionStartIncluding" : "20.010", "family" : "GuardLogix5570"},
"cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware:21" :
{"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "GuardLogix5570"},
"cpe:/o:rockwellautomation:controllogix_5560_controller_firmware:16" :
{"versionEndIncluding" : "16.022", "versionStartIncluding" : "16.020", "family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5560_controller_firmware:17" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5560_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5570_controller_firmware:18" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "18.000", "family" : "ControlLogix5570"},
"cpe:/o:rockwellautomation:controllogix_5570_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "ControlLogix5570"},
"cpe:/o:rockwellautomation:controllogix_5570_controller_firmware:21" :
{"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "ControlLogix5570"},
"cpe:/o:rockwellautomation:flexlogix_l34_controller_firmware:16" :
{"versionEndIncluding" : "16.999", "versionStartIncluding" : "16.000", "family" : "FlexLogix"},
"cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware:16" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "16.000", "family" : "CompactLogix5320"},
"cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5320"},
"cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware:16" :
{"versionEndIncluding" : "16.023", "versionStartIncluding" : "16.020", "family" : "CompactLogix"},
"cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware:17" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "CompactLogix"},
"cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix"},
"cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware:16" :
{"versionEndIncluding" : "16.026", "versionStartIncluding" : "16.020", "family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware:17" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:1768_compactlogix_l4x_controller_firmware:20" :
{"versionEndIncluding" : "20.015", "versionStartIncluding" : "20.011", "family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:softlogix_5800_controller_firmware:17" :
{"versionEndIncluding" : "22.999", "versionStartIncluding" : "17.000", "family" : "SoftLogix5800"},
"cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware:17" :
{"versionEndIncluding" : "19.999", "versionStartIncluding" : "17.000", "family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:1768_compact_guardlogix_l4xs_controller_firmware:20" :
{"versionEndIncluding" : "20.017", "versionStartIncluding" : "20.011", "family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:1769_compactlogix_5370_l1_controller_firmware:21" :
{"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:1769_compactlogix_5370_l2_controller_firmware:21" :
{"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware:20" :
{"versionEndIncluding" : "20.013", "versionStartIncluding" : "20.010", "family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:1769_compactlogix_5370_l3_controller_firmware:21" :
{"versionEndIncluding" : "23.011", "versionStartIncluding" : "21.000", "family" : "CompactLogix5370"},
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
rockwellautomation | controllogix_l55_controller_firmware | cpe:/o:rockwellautomation:controllogix_l55_controller_firmware | |
rockwellautomation | controllogix_5560_redundant_controller_firmware | cpe:/o:rockwellautomation:controllogix_5560_redundant_controller_firmware | |
rockwellautomation | controllogix_5570_redundant_controller_firmware | cpe:/o:rockwellautomation:controllogix_5570_redundant_controller_firmware | |
rockwellautomation | guardlogix_5560_controller_firmware | cpe:/o:rockwellautomation:guardlogix_5560_controller_firmware | |
rockwellautomation | guardlogix_5570_controller_firmware | cpe:/o:rockwellautomation:guardlogix_5570_controller_firmware | |
rockwellautomation | controllogix_5560_controller_firmware | cpe:/o:rockwellautomation:controllogix_5560_controller_firmware | |
rockwellautomation | controllogix_5570_controller_firmware | cpe:/o:rockwellautomation:controllogix_5570_controller_firmware | |
rockwellautomation | flexlogix_l34_controller_firmware | cpe:/o:rockwellautomation:flexlogix_l34_controller_firmware | |
rockwellautomation | 1769_compactlogix_l23x_controller_firmware | cpe:/o:rockwellautomation:1769_compactlogix_l23x_controller_firmware | |
rockwellautomation | 1769_compactlogix_l3x_controller_firmware | cpe:/o:rockwellautomation:1769_compactlogix_l3x_controller_firmware |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.7%