Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Vulnerability NotesPrint
point
CERT-In Vulnerability Note CIVN-2018-0216
Multiple Vulnerabilities in Rockwell Automation Products

Original Issue Date:December 17, 2018

Severity Rating: HIGH

Systems Affected

MicroLogix 1400 Controllers
  • Series A, all versions
  • Series B, v21.003 and earlier
  • Series C, v21.003 and earlier
1756 Control Logix Ethernet/IP Communications Modules
1756-ENBT, all versions
1756-EWEB
  • Series A, all versions
  • Series B, all versions
1756-EN2F
  • Series A, all versions
  • Series B, all versions
  • Series C, v10.10 and earlier
1756-EN2T
  • Series A, all versions
  • Series B, all versions
  • Series C, all versions
  • Series D, v10.10 and earlier
1756-EN2TR
  • Series A, all versions
  • Series B, all versions
  • Series C, v10.10 and earlier
1756-EN3TR
  • Series A, all versions
  • Series B, v10.10 and earlier

Overview

A vulnerability has been reported in Rockwell Automation products. Successful exploitation of this vulnerability could allow a remote attacker to modify system settings which cause a loss of communication between the device and the system, resulting in Denial of Service (DoS) conditions.

Description

1. Missing authentication for critical function ( CVE-2018-17924   )

This vulnerability exists in an unspecified function of the component CIP Connection Request Handler.An unauthenticated, remote attacker could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, it causes a loss of communication between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address. 

Workaround

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that Ethernet/IP messages from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware key switch setting, which may be used to block unauthorized changes, etc.
  • Block all traffic to Ethernet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. 
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

Solution

Apply appropriate updates as mentioned in the Rockwell Automation advisory:
  • MicroLogix 1400 Controllers 1766-Lxxx, Series A: - No direct mitigation provided. See workarounds.
  • For MicroLogix 1400 Controllers 1766-Lxxx, Series B or C: - Apply FRN 21.004 and later. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes.

Vendor Information

Rockwell Automation
https://www.rockwellautomation.com/

References

ICS-CERT
https://ics-cert.us-cert.gov/advisories/ICSA-18-310-02

SECURITY FOCUS
https://www.securityfocus.com/bid/106132/

CVE Name
CVE-2018-17924

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025