Loading

ControlLogix® and GuardLogix® Vulnerable to Major Nonrecoverable Fault Due to Invalid Header Value

Severity:
High,
Critical
Advisory ID:
SD1666
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
CVE IDs
CVE-2024-3493
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
Summary
ControlLogix® and GuardLogix® Vulnerable to Major Nonrecoverable Fault Due to Invalid Header Value

Published Date: April 11, 2024

Last updated: August 5, 2025

Revision Number: 2.0

May 2, 2024 - Added to products to Affected Products and Solutions section

CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Firmware Revision

 

 

 

 

Corrected in Firmware Revision

 

 

 

 

ControlLogix® 5580

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

GuardLogix 5580

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

CompactLogix 5380

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

Compact GuardLogix 5380

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

1756-EN4TR

 

 

 

 

V5.001

 

 

 

 

V6.001 and later

 

 

 

 

ControlLogix 5580 Process

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

CompactLogix 5380 Process

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011and later

 

 

 

 

CompactLogix 5480

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

SECURITY ISSUE DETAILS  

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues. 

CVE-2024-3493 IMPACT

 A specific malformed fragmented packet type can cause a Major Nonrecoverable Fault (MNRF). The affected product could become unavailable and require a manual restart to recover it. A MNRF could result in a loss of view and/or control of connected devices. 

CVSS Base Score: 8.6/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

 

CVSS Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

 

Mitigations and Workarounds  

Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.  

 ADDITIONAL RESOURCES

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.     

  • JSON CVE 2024-3493

    Glossary

  • Fragment Packet: may be generated automatically by devices that send large amounts of data
  • Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
  • Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly
  • Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product
Copyright ©2022 Rockwell Automation, Inc.