Rockwell Automation ControlLogix 5580 and CompactLogix 5380 Uncontrolled Resource Consumption (CVE-2017-6024)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500235);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2017-6024");

  script_name(english:"Rockwell Automation ControlLogix 5580 and CompactLogix 5380 Uncontrolled Resource Consumption (CVE-2017-6024)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A Resource Exhaustion issue was discovered in Rockwell Automation ControlLogix 5580 controllers V28.011, V28.012, and
V28.013; ControlLogix 5580 controllers V29.011; CompactLogix 5380 controllers V28.011; and CompactLogix 5380 controllers
V29.011. This vulnerability may allow an attacker to cause a denial of service condition by sending a series of specific
CIP-based commands to the controller.  

This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-17-094-05");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/98309");
  # https://www.rockwellautomation.com/en-us/support/advisory.PN966.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0fee9379");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Rockwell Automation recommends updating to the latest version of ControlLogix 5580 controllers, Version 30.011 or later,
which is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=1756-L8&crumb=112

Rockwell Automation recommends updating to the latest version of CompactLogix 5380 controllers, Version 30.011 or later,
which is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=5069-L&crumb=112

For more information on this vulnerability and more detailed mitigation instructions, please see Rockwell Automation’s
advisory labeled ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service, Version
1.0, April 4, 2017, at the following location:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1041420

As well as Rockwell Automation’s security page:

http://www.rockwellautomation.com/security/overview.page

ICS-CERT and Rockwell Automation recommend that users take defensive measures to minimize the risk of exploitation of
this vulnerability. Specifically, users should:

- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking
or restricting access to Port 2222/TCP and UDP and Port 44818/TCP and UDP using proper network infrastructure controls,
such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell
Automation Products, see Knowledgebase Article ID 898270 which is available at the following location:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/898270

- Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible
from the Internet.
- Locate control system networks and devices behind firewalls, and use best practices when isolating them from the
business network. The Common Plant-wide Ethernet (CPwE) guide provides recommendations for deploying a plant-wide
architecture: Industrial Firewalls within a CPwE Architecture
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may
have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as
secure as the connected devices.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6024");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(400);

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5380_firmware:v29.011");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5380_firmware:v28.011");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5580_firmware:v29.011");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5580_firmware:v28.012");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5580_firmware:v28.011");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5580_firmware:v28.013");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Rockwell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Rockwell');

var asset = tenable_ot::assets::get(vendor:'Rockwell');

var vuln_cpes = {
    "cpe:/o:rockwellautomation:compactlogix_5380_firmware:29.011" :
        {"versionEndIncluding" : "29.011", "versionStartIncluding" : "29.011", "family" : "CompactLogix5380"},
    "cpe:/o:rockwellautomation:compactlogix_5380_firmware:28.011" :
        {"versionEndIncluding" : "28.011", "versionStartIncluding" : "28.011", "family" : "CompactLogix5380"},
    "cpe:/o:rockwellautomation:controllogix_5580_firmware:29.011" :
        {"versionEndIncluding" : "29.011", "versionStartIncluding" : "29.011", "family" : "ControlLogix5580"},
    "cpe:/o:rockwellautomation:controllogix_5580_firmware:28.012" :
        {"versionEndIncluding" : "28.012", "versionStartIncluding" : "28.012", "family" : "ControlLogix5580"},
    "cpe:/o:rockwellautomation:controllogix_5580_firmware:28.011" :
        {"versionEndIncluding" : "28.011", "versionStartIncluding" : "28.011", "family" : "ControlLogix5580"},
    "cpe:/o:rockwellautomation:controllogix_5580_firmware:28.013" :
        {"versionEndIncluding" : "28.013", "versionStartIncluding" : "28.013", "family" : "ControlLogix5580"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);