Rockwell Automation CompactLogix 5370 Stack-Based Buffer Overflow (CVE-2019-10954)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500057);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2019-10954");
  script_xref(name:"ICSA", value:"19-120-01");

  script_name(english:"Rockwell Automation CompactLogix 5370 Stack-Based Buffer Overflow (CVE-2019-10954)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An attacker could send crafted SMTP packets to cause a denial-of-service condition where the controller enters a major
non-recoverable faulted state (MNRF) in CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370
controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier.  

This plugin only works
with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/108118");
  # https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ea097b0c");
  # https://www.rockwellautomation.com/en-us/support/advisory.PN1040.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1757d836");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Rockwell Automation strongly encourages users to apply the latest available version of firmware to keep up to date with
the latest features, anomaly fixes, and security improvements. Update firmware to version FRN 31.011 which mitigates the
associated risk:

Rockwell Automation also recommends the following: 

- For EtherNet/IP-based vulnerabilities (ID 1-14), block all traffic to and from outside the manufacturing zone by
blocking or restricting access to Port 2222/TCP/UDP and Port 44818/TCP/UDP using proper network infrastructure controls,
such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell
Automation products, see knowledgebase article ID 898270 (login required).
- Stratix users can use Device Manager or Studio 5000 Logix Designer to configure access control lists (ACL) to
block/restrict ports. See section “Access Control Lists” in Stratix managed switches user manual, publication
1783-UM007, for detailed instructions.
- For web-based vulnerabilities (ID 15-17), block all traffic from outside the manufacturing zone by blocking or
restricting access to Port 80/443/TCP.
- Stratix users can use Device Manager or Studio 5000 Logix Designer to configure ACL’s to block/restrict ports. See
section “Access Control Lists” in Stratix Managed Switches User Manual, publication 1783-UM007, for detailed
instructions.
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that SMTP packets from unauthorized
sources are blocked.
- Consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to
block unauthorized changes, etc.
- Use trusted software, software patches, and antivirus/antimalware programs and interact only with trusted websites and
attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the
Internet. For further information about the risks of unprotected internet accessible control systems, please see
knowledgebase article ID 494865 (login required).
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may
have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as
secure as connected devices.

For more information, please refer to Rockwell’s Security Advisory:
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979 (login required)");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10954");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(787);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compact_guardlogix_5370_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:armor_compact_guardlogix_5370_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Rockwell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Rockwell');

var asset = tenable_ot::assets::get(vendor:'Rockwell');

var vuln_cpes = {
    "cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware" :
        {"versionEndIncluding" : "30.014", "versionStartIncluding" : "20.011", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware" :
        {"versionEndIncluding" : "30.014", "versionStartIncluding" : "20.011", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware" :
        {"versionEndIncluding" : "30.014", "versionStartIncluding" : "20.011", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:compact_guardlogix_5370_firmware" :
        {"versionEndIncluding" : "30.014", "versionStartIncluding" : "20.011", "family" : "GuardLogix5370"},
    "cpe:/o:rockwellautomation:armor_compact_guardlogix_5370_firmware" :
        {"versionEndIncluding" : "30.014", "versionStartIncluding" : "20.011", "family" : "GuardLogix5370"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);