10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.6 High
AI Score
Confidence
High
0.029 Low
EPSS
Percentile
90.9%
This advisory is a follow up to the original alert titled ICS-ALERT-12-020-02A—Rockwell Automation ControlLogix PLC Vulnerabilities that was published February 14, 2012, on the ICS-CERT Web page.
Independent researcher Rubén Santamarta of IOActive identified vulnerabilities in Rockwell Automation’s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012. The vulnerabilities are exploitable by transmitting arbitrary commands from a control interface to the programmable logic controller (PLC) or network interface card (NIC). The information was released without coordination with either the vendor or ICS-CERT. Rockwell Automation released firmware patches on July 18, 2012, that resolve the following vulnerabilities. There have been no updates from Rockwell since these patches were released. Exploitation of these vulnerabilities could allow loss of confidentiality, integrity, and availability of the device.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
The following Rockwell products are affected:
Successful exploitation of these vulnerabilities may result in a denial-of-service (DoS) condition, controller fault, or enable a Man-in-the-Middle (MitM) attack, or Replay attack.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.
The affected products are PLCs and communication modules. According to Rockwell Automation, these products are deployed across several sectors including agriculture and food, water, chemical, manufacturing and others. According to Rockwell’s Web site, these products are used in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that changes the product’s configuration and network parameters, a DoS condition can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.
CVE-2012-6439 has been assigned to this vulnerability. A CVSS v2 base score of 8.5 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:P/A:C).
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.
This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.
CVE-2012-6442 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.
CVE-2012-6435 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).
An information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality.
This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.
CVE-2012-6441 has been assigned to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:N/A:N).
The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.
CVE-2012-6438 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).
The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.
CVE-2012-6436 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).
The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information.
his vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference.
CVE-2012-6440 has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).
The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices.
CVE-2012-6437 has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).
These vulnerabilities could be exploited remotely.
Exploits that target these vulnerabilities are publicly available.
An attacker with a low-medium skill would be able to exploit these vulnerabilities.
According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at:
<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154>
<https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155>
<https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156>
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
To mitigate the vulnerabilities pertaining to receiving valid CIP packets:
To mitigate the vulnerability pertaining to the corrupted firmware update:
To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state:
To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state:
To mitigate the vulnerability with the Web server password authentication mechanism:
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/200.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/294.html
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:P/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C
nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C
nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C
nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C
nvdnist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N
rockwellautomation.custhelp.com/app/answers/detail/a_id/54102
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6435
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6436
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6437
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6438
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6439
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6440
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6441
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6442
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
rockwellautomation.custhelp.com/app/answers/detail/aid/470155
rockwellautomation.custhelp.com/app/answers/detail/aid/470156
rockwellautomation.custhelp.com/app/answers/detail/a_id/470154
twitter.com/CISAgov
twitter.com/intent/tweet?text=Rockwell%20Automation%20ControlLogix%20PLC%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03&title=Rockwell%20Automation%20ControlLogix%20PLC%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Rockwell%20Automation%20ControlLogix%20PLC%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-13-011-03