CVE-2012-6435
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules | All | affected |
| Rockwell Automation | CompactLogix L32E and L35E controllers | All | affected |
| Rockwell Automation | 1788-ENBT FLEXLogix adapter | All | affected |
| Rockwell Automation | 1794-AENTR FLEX I/O EtherNet/IP adapter | All | affected |
| Rockwell Automation | ControlLogix, CompactLogix, GuardLogix, and SoftLogix | 0 <= 18 | affected |
| Rockwell Automation | CompactLogix and SoftLogix controllers | 0 <= 19 | affected |
| Rockwell Automation | ControlLogix and GuardLogix controllers | 0 <= 20 | affected |
| Rockwell Automation | MicroLogix | 1100 | affected |
| Rockwell Automation | MicroLogix | 1400 | affected |
Weaknesses
- CWE-284: CWE-284
Workarounds
Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
To mitigate the vulnerabilities pertaining to receiving valid CIP packets:
- Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).
- Employ a UTM appliance that specifically supports CIP message filtering.
In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.
- Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
- Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.
- Make sure that software and control system device firmware is patched to current releases.
- Periodically change passwords in control system components and infrastructure devices.
- Where applicable, set the controller key-switch/mode-switch to RUN mode.
For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 .
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03
- https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154
- https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155
- https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156
- http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.