Cisco Talos this week released the details of several remotely exploitable denial-of-service (DoS) vulnerabilities found by one of its researchers in an industrial automation product made by Rockwell Automation.
The affected product is the Allen-Bradley 1794-AENT Flex I/O series B adapter, specifically the device’s Ethernet/IP request path port/data/logical segment functionality.
Cisco Talos and Rockwell Automation say a total of five high-severity buffer overflow vulnerabilities have been identified. They impact adapters running versions 4.003 and earlier.
A remote, unauthenticated attacker can exploit these flaws to cause the targeted device to enter a DoS condition by sending it specially crafted packets.
Cisco noted in its advisories that “all remote communications with the device are stopped and a physical power cycle is required to regain functionality.”
The vulnerabilities were reported to Rockwell Automation in February and the vendor requested two disclosure extensions, but when it asked for a third extension, Talos informed it that the vulnerabilities would be disclosed on October 12 regardless of whether or not a patch is available.
Rockwell Automation also published an advisory (account required) for these vulnerabilities on October 12 and while a patch does not appear to be available, the company has provided specific and general recommendations to prevent attacks.
Specific recommendations include only accepting CIP connections from trusted sources on port 44818, employing network segmentation and security controls to minimize exposure of affected devices, and the use of firewalls, VPNs and other network infrastructure controls.