Latest Rockwell Automation vulnerabilities #
Rockwell Automation has disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.
CVE-2024-3493 is rated high with CVSS score of 8.6 involves a specific malformed fragmented packet type which can cause a major nonrecoverable fault (MNRF) in Rockwell Automation's ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product will become unavailable and require a manual restart to recover it.
What is the impact? #
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
Are updates or workarounds available? #
Rockwell Automation has provided software updates for the impacted versions.
Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
ControlLogix® 5580 | V35.011 | V35.013, V36.011 |
GuardLogix 5580 | V35.011 | V35.013, V36.011 |
CompactLogix 5380 | V35.011 | V35.013, V36.011 |
1756-EN4TR | V5.001 | V6.001 |
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
hw:"1756-EN4TR"
Rockwell Automation PowerFlex 527 vulnerabilities (March 2024) #
In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.
CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.
CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.
What was the impact? #
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
Are updates or workarounds available? #
Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.
Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
hw.product:"powerflex"