In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products.
In an advisory published last week, Rockwell Automation informed customers that the flaw impacts Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 programmable automation controllers, which are used to control processes in the critical infrastructure, water systems, entertainment, automotive, food and beverage, and other sectors.
The vulnerability is tracked by Rockwell as CVE-2017-9312 and it has been classified as “high severity” with a CVSS score of 8.6. CompactLogix 5370 L1, L2 and L3, and Armor CompactLogix 5370 L3 small controllers, and Compact GuardLogix 5370 and Armor Compact GuardLogix 5370 L3 safety controllers running firmware version 30.012 and prior are affected. The security hole has been patched with the release of version 31.011.
A remote attacker can exploit the vulnerability to cause affected devices to enter Major Non-Recoverable Fault (MNRF) mode, which results in a DoS condition that requires the user to re-download the application program in order to restore the system.
“An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation,” Rockwell Automation said in an advisory (customer account required).
According to Applied Risk’s own advisory, the vulnerability exists due to “incorrect processing of TCP ACK packet additional options by the listener at Ethernet/IP TCP port (default 44818).”
“An incorrect order on the NOP option leads to an immediate device reboot and enters a ‘Major Fault’ mode which must be resolved manually. To trigger the vulnerability, the NOP option must be put first and the number of options must be more than one,” Applied Risk explained.
In addition to applying firmware updates, Rockwell has advised customers to block all traffic to Ethernet/IP and other CIP protocol-based devices from outside the manufacturing zone, minimize network exposure for control systems, and use VPNs where remote access is required.
Since the underlying issue that causes the vulnerability is related to Ethernet/IP, one of the most widely used industrial network protocols, researchers believe products from other vendors are likely affected as well. No other companies have been singled out, but Applied Risk did reveal at the ICS Cyber Security Conference that its researchers tested safety controllers from several major vendors, including Siemens, ABB, Pilz, and Phoenix Contact.
Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people, experts warned.
“The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place,” Rockwell said.