11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.
09-October-2019 - Updated Advisory
On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.
16-November-2019 - Updated Advisory
Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.
The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.
The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.
Executive Summary
Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.
Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
Product Family | Catalogs | CVE-2019-12255 | CVE-2019-12256 | CVE-2019-12257 | CVE-2019-12258 | CVE-2019-12259 | CVE-2019-12260 | CVE-2019-12261 | CVE-2019-12262 | CVE-2019-12263 | CVE-2019-12264 | CVE-2019-12265 |
CompactLogix™ 5480 (EPIC controller) | 5069-L4 | x | x |
| x | x | x | x | x | x | ||
Compact 5000™ I/O EtherNet/IP Adapter | 5069-AEN2TR | x | x |
| x | x | x | x | x | x | ||
ControlLogix® 5580 (+ GuardLogix®) | 1756-L8 | x | x |
| x | x | x | x | x | x | ||
CompactLogix Compact GuardLogix 5380 | 5069-L3 | x | x |
| x | x | x | x | x | x | ||
CompactLogix 5370 | 1769-L3 | x | x | x |
| x | x | x | x | x | ||
CompactLogix GuardLogix 5370 | 1769-L3S | x | x | x |
| x | x | x | x | x | ||
CompactLogix 5370 | 1769-L2 | x | x | x |
| x | x | x | x | x | ||
CompactLogix 5370 | 1769-L1 | x | x | x |
| x | x | x | x | x | ||
ControlLogix EtherNet/IP Module | 1756-EN2TSC/A | x | x | x |
| x | x | x | x | x | ||
ControlLogix EtherNet/IP Module | 1756-EN2TSC/B | x | x | x | x |
| x | x | x | x | x | |
ControlLogix EtherNet/IP Module | 1756-EN2T/C | x | x | x |
| x | x | x | x | x | ||
ControlLogix EtherNet/IP Module | 1756-EN2T/D | x | x | x | x |
| x | x | x | x | x | |
ControlLogix EtherNet/IP Module | 1756-EN4TR | x | x |
| x | x | x | x | x | x | ||
ControlLogix EtherNet/IP Module | 1756-EN2TP/A | x | x | x | x |
| x | x | x | x | x | |
ControlLogix EtherNet/IP Module | 1756-EN2TR/B | x | x | x | x | x | x | x | x | |||
ControlLogix EtherNet/IP Module | 1756-EN2TR/C | x | x | x | x |
|
| x | x | x | x | x |
ControlLogix EtherNet/IP Module | 1756-EN3TR/B | x | x | x | x |
|
| x | x | x | x | X |
ControlLogix EtherNet/IP Module | 1756-EN2F/C | x | x | x | x |
|
| x | x | x | x | x |
ControlLogix EtherNet/IP Module | 1756-EN2TRXT | x | x | x |
| x | x | x | x | x | ||
1783-NATR, Network Address Translation Router | 1783-NATR | x | x |
| x | x | x | x | x | x | ||
ArmorBlock® I/O Modules | 1732E-8CFGM8R | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-IB8M8SOER | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-IF4M12R | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-IR4M12R | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-IT4M12R | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-OB8M8SR | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-OF4M12R | x | x | x |
| x | x | x | x | x | ||
ArmorBlock I/O Modules | 1732E-8IOLM12R |
| x |
| x |
| x | x | x | x | x | x |
Bulletin 56RF High-Frequency RFID | 56RF-IN-IPD22 | x | x | x |
| x | x | x | x | x | ||
Bulletin 56RF High-Frequency RFID | 56RF-IN-IPD22A | x | x | x |
| x | x | x | x | x | ||
Bulletin 56RF High-Frequency RFID | 56RF-IN-IPS12 | x | x | x |
| x | x | x | x | x | ||
SLC™ 500 EtherNet/IP Adapter | 1747-AENTR | x | x | x |
| x | x | x | x | x | ||
CompactLogix E/IP Adapter | 1769-AENTR | x | x | x |
| x | x | x | x | x | ||
Kinetix® 6200 Servo Multi-axis Drives | 2094-SE02F-M00-Sx | x |
| x | x |
|
| x | x | x | x | x |
Kinetix® 6500 Servo Multi-axis Drives | 2094-EN02D-M01-Sx | x | x | x |
| x | x | x | x | x |
Vulnerability Details
Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.
CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.
CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.
CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.
Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.
CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.
Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.
CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.
Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.
Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.
CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.
Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.
Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.
CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.
Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.
CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.
Risk Mitigation & User Action
Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.
- Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
- Take the suggested actions for the products in the table below:
Product | Catalog Numbers | Suggested Actions |
CompactLogix™ 5480 (EPIC Controller) | 5069-L4 | Upgrade to firmware version 32.013 (Download) or later. |
Compact 5000™ I/O EtherNet/IP Adapter | 5069-AEN2TR | Will not be patched. Suggested action is to migrate to the 5069-AENTR. |
ControlLogix EtherNet/IP Module | 1756-EN2TSC/A 1756-EN2TSC/B | Will not be patched as it has been discontinued. |
ControlLogix EtherNet/IP Module | 1756-EN2T/D 1756-EN2TP/A 1756-EN2TR/B 1756-EN2TR/C 1756-EN2F/C 1756-EN4TR | Upgrade to firmware version 11.002 (Download) or later. (1756-EN4TR only) Upgrade to firmware version 3.001 (Download) or later. |
ControlLogix 5580 | 1756-L8 | Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later. |
GuardLogix 5580 | 1756-L8S | Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later. |
CompactLogix 5380 | 5069-L3 | Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later. |
Compact GuardLogix 5380 | 5069-L3S2 | Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later. |
CompactLogix 5370 | 1769-L3 1769-L2 1769-L1 | Upgrade to firmware version 32.013 (Download) or later. |
CompactLogix GuardLogix 5370 | 1769-L3S | Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later. |
1783-NATR, Network Address Translation Route | 1783-NATR | Upgrade to firmware version 1.005 (Download) or later. |
Kinetix® 6200 Servo Multi-axis Drives | 2094-SE02F-M00-Sx | Upgrade to firmware version 1.050 (Download) or later. |
Kinetix® 6500 Servo Multi-axis Drives | 2094-EN02D-M01-Sx | Upgrade to firmware version 3.005 (Download) or later. |
SLC 500 EtherNet/IP Adapter | 1747-AENTR | Upgrade to firmware version 2.003 (Download) or later. |
CompactLogix E/IP Adapter | 1769-AENTR | Upgrade to firmware version 1.002 (Download) or later. |
General Security Guidelines
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- URGENT/11 General Overview, Technical Overview – Armis
- Security Vulnerability Response Information – WindRiver
- ICS-ADVISORY (ICSA-19-274-01) - Interpeak IPnet TCP/IP Stack