When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

Rockwell Automation EtherNet/IP products allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that specifies a reset.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that specifies a reset.

The installed firmware on the remote Allen-Bradley MicroLogix 1400 controller is affected by multiple vulnerabilities :

  - A flaw exists when handling messages that modify     specific bits in status files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted message, to cause a denial of service     condition. (CVE-2012-4690)

  - A flaw exists in the Ethernet/IP protocol implementation     when handling a CIP message that specifies a     logic-execution 'stop' command. An unauthenticated,     remote attacker can exploit this, via a specially     crafted message, to cause a denial of service condition.
    (CVE-2012-6435)

  - A buffer overflow condition exists due to improper     validation of user-supplied input when parsing CIP     packets. An unauthenticated, remote attacker can exploit     this, via a malformed packet, to cause a denial of     service condition. (CVE-2012-6436, CVE-2012-6438)

  - A flaw exists due to a failure to properly authenticate     Ethernet firmware updates. An unauthenticated, remote     attacker can exploit this, via a trojan horse update     image, to execute arbitrary code. (CVE-2012-6437)

  - A flaw exists when handling CIP messages that modify     network and configuration parameters. An     unauthenticated, remote attacker can exploit this, via a     specially crafted message, to cause a denial of service     condition. (CVE-2012-6439)

  - A flaw exists due to a failure to properly restrict     session replaying. A man-in-the-middle attacker can     exploit this, via HTTP traffic, to conduct a replay     attack. (CVE-2012-6440)

  - An information disclosure vulnerability exists in the     Ethernet/IP protocol implementation when handling the     'dump' command. An unauthenticated, remote attacker     can exploit this, via a specially crafted CIP packet,     to disclose the boot code of the device. (CVE-2012-6441)

  - A flaw exists in the Ethernet/IP protocol implementation     when handling a CIP message that specifies a 'reset'     command. An unauthenticated, remote attacker can exploit     this, via a specially crafted message, to cause a denial     of service condition. (CVE-2012-6442)

Note that Nessus has not tested for these issues but has instead relied only on the firmware's self-reported version number.

The Rockwell Automation MicroLogix 1100 PLC integrated web server has a firmware version that is prior to Series B FRN 13.0. It is, therefore, affected by multiple vulnerabilities :

  - An improper access control vulnerability exists when     sending a 'stop' command, which causes a denial of     service condition leaving the device in an unresponsive     state, resulting in a loss of availability for any     device connected to the MicroLogix 1100 PLC.
    (CVE-2012-6435)

  - An improper validation vulnerability exists when the     device attempts to parse a CIP packet sent to affected     ports, which causes a buffer overflow that crashes the     device's CPU, resulting in a loss of availability for     any device connected to the MicroLogix 1100 PLC.
    (CVE-2012-6436)

  - An improper authentication vulnerability exists in the     module providing source and data authentication, which     can allow a remote attacker to upload an arbitrary     firmware image to the ethernet card, resulting in the     execution of code or causing a denial of service and a     loss of availability for any device connected to the     MicroLogix 1100 PLC. (CVE-2012-6437)

  - An improper validation vulnerability exists when the     device attempts to parse a malformed CIP packet, which     causes an overflow condition in the network interface     card (NIC), resulting in a denial of service condition     and a loss of availability for any device connected to     the MicroLogix 1100 PLC. (CVE-2012-6438)

  - An improper access control vulnerability exists when     parsing a CIP message that changes the device's network     or configuration parameters, resulting in a denial of     service condition and a loss of communication for any     device connected to the MicroLogix 1100 PLC.
    (CVE-2012-6439)

  - An information exposure vulnerability exists when     sending a 'dump' command, which results in the improper     disclosure of boot code information from the MicroLogix     1100 PLC. (CVE-2012-6441)

  - An improper access control vulnerability exists when     sending a 'reset' command, which causes a denial of     service condition leaving the device in an unresponsive     state, resulting in a loss of availability for any     device connected to the MicroLogix 1100 PLC.
    (CVE-2012-6442)

ID	Name	Product	Family	Severity
500028	Rockwell Automation Logix Controllers Denial of Service (CVE-2012-6442)	Tenable OT Security	Tenable.ot	high
720030	Rockwell Automation/Allen-Bradley Ethernet/IP Products Improper Access Control	Nessus Network Monitor	SCADA	high
91345	Allen-Bradley MicroLogix 1400 Multiple Vulnerabilities	Nessus	SCADA	critical
84567	Rockwell Automation MicroLogix 1100 PLC < Series B FRN 13.0 Multiple Vulnerabilities	Nessus	SCADA	critical

Detections

Analytics

CVE-2012-6442

high

Tenable Plugins

high

high

critical

critical