Document ID:
PN1531
Version:
2.0
Impact Level:
High
Vulnerability ID's:
CVE-2020-6085, CVE-2020-6084, CVE-2020-6088, CVE-2020-6083, CVE-2020-6087, CVE-2020-6086
Product ID's:
Flex I/O, 1794 Flex, 1794/5094 Distributed I/O
Summary
1794-AENT Flex I/O Series B Contains Multiple Denial of Service Vulnerabilities
Revision History
Revision Number
1.1
Revision History
November 4, 2020 - Version 1.1. Updated Vulnerability Details.
October 12, 2020 - Version 1.0. Initial Version.
Revision History
Revision Number
2.0
Revision History
February 2, 2021 - Version 2.0. Updated Risk Mitigation & User Actions.
Executive Summary
Rockwell Automation received a report from Jared Rittle of Cisco Talos regarding three vulnerabilities in the 1794-AENT Flex I/O Series B adapter. If successfully exploited, these vulnerabilities may lead to denial-of-service conditions.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
1794-AENT Flex I/O, Series B, versions 4.003 (and earlier).
Vulnerability Details
CVE-2020-6083: Denial of Service due to Ethernet/IP Request Path Port Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected firmware versions are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
Vulnerabilities | Affected Products | Suggested Mitigations |
CVE-2020-6083 CVE-2020-6084 CVE-2020-6085 CVE-2020-6086 CVE-2020-6087 CVE-2020-6088 | 1794-AENT Flex I/O, Series B, firmware versions 4.003 and earlier | Version 2.0: Apply firmware v4.004 (download). Version 1.0: It is recommended for customers to use this module in the Cell Area/Zone (Level 1) as defined on page 16 of the System Security Design Guidelines and only accept CIP connections from trusted sources via port 44818. For successful exploitation, these vulnerabilities require Ethernet/IP packets to reach the destination device. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Social Engineering Mitigation Strategies
General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Social Engineering Mitigation Strategies
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).
Copyright ©2022 Rockwell Automation, Inc.