Connect with us

Hi, what are you looking for?



Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors

In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors.

In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products.

In an advisory published last week, Rockwell Automation informed customers that the flaw impacts Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 programmable automation controllers, which are used to control processes in the critical infrastructure, water systems, entertainment, automotive, food and beverage, and other sectors.

The vulnerability is tracked by Rockwell as CVE-2017-9312 and it has been classified as “high severity” with a CVSS score of 8.6. CompactLogix 5370 L1, L2 and L3, and Armor CompactLogix 5370 L3 small controllers, and Compact GuardLogix 5370 and Armor Compact GuardLogix 5370 L3 safety controllers running firmware version 30.012 and prior are affected. The security hole has been patched with the release of version 31.011.Rockwell patches controller vulnerability

A remote attacker can exploit the vulnerability to cause affected devices to enter Major Non-Recoverable Fault (MNRF) mode, which results in a DoS condition that requires the user to re-download the application program in order to restore the system.

“An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation,” Rockwell Automation said in an advisory (customer account required).

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

According to Applied Risk’s own advisory, the vulnerability exists due to “incorrect processing of TCP ACK packet additional options by the listener at Ethernet/IP TCP port (default 44818).”

“An incorrect order on the NOP option leads to an immediate device reboot and enters a ‘Major Fault’ mode which must be resolved manually. To trigger the vulnerability, the NOP option must be put first and the number of options must be more than one,” Applied Risk explained.

Advertisement. Scroll to continue reading.

In addition to applying firmware updates, Rockwell has advised customers to block all traffic to Ethernet/IP and other CIP protocol-based devices from outside the manufacturing zone, minimize network exposure for control systems, and use VPNs where remote access is required.

Since the underlying issue that causes the vulnerability is related to Ethernet/IP, one of the most widely used industrial network protocols, researchers believe products from other vendors are likely affected as well. No other companies have been singled out, but Applied Risk did reveal at the ICS Cyber Security Conference that its researchers tested safety controllers from several major vendors, including Siemens, ABB, Pilz, and Phoenix Contact.

Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people, experts warned.

“The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place,” Rockwell said.

Related: Rockwell Automation Switches Exposed to Attacks by Cisco IOS Flaws

Related: Rockwell Automation Addresses Flaws in Programmable Controllers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.