Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTA-2013-AVI-047
Vulnerability from certfr_avis
De multiples vulnérabilités ont été corrigées dans Rockwell Automation Controllogix. Elles concernent des dénis de services à distance et des atteintes à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | 1768-ENBT | ||
| N/A | N/A | MicroLogix 1400 | ||
| N/A | N/A | 1768-EWEB | ||
| N/A | N/A | 1788-ENBT | ||
| N/A | N/A | 1756-EWEB | ||
| N/A | N/A | 1794-AENTR | ||
| N/A | N/A | CompactLogix L32 et L35E | ||
| N/A | N/A | 1756-ENBT | ||
| N/A | N/A | ControlLogix, CompactLogix, GuardLogix, SoftLogix, version 18 et antérieures | ||
| N/A | N/A | MicroLogix 1100 | ||
| N/A | N/A | EtherNet/IP |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "1768-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "MicroLogix 1400",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1768-EWEB",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1788-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1756-EWEB",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1794-AENTR",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "CompactLogix L32 et L35E",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "1756-ENBT",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ControlLogix, CompactLogix, GuardLogix, SoftLogix, version 18 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "MicroLogix 1100",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "EtherNet/IP",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2012-6441",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6441"
},
{
"name": "CVE-2012-6437",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6437"
},
{
"name": "CVE-2012-6442",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6442"
},
{
"name": "CVE-2012-6435",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6435"
},
{
"name": "CVE-2012-6438",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6438"
},
{
"name": "CVE-2012-6436",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6436"
},
{
"name": "CVE-2012-6439",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6439"
},
{
"name": "CVE-2012-6440",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6440"
}
],
"initial_release_date": "2013-01-17T00:00:00",
"last_revision_date": "2013-01-17T00:00:00",
"links": [],
"reference": "CERTA-2013-AVI-047",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2013-01-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eRockwell Automation Controllogix\u003c/span\u003e. Elles concernent\ndes d\u00e9nis de services \u00e0 distance et des atteintes \u00e0 la confidentialit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le syst\u00e8me SCADA Rockwell Automation Controllogix",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 ICSA-13-011-03 du 11 janvier 2013",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
CVE-2012-6437 (GCVE-0-2012-6437)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 22:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices.\n\n\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T22:05:18.667Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "EXTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Authentication",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eTo mitigate the vulnerability with the Web server password authentication mechanism:\u003c/p\u003e\u003col\u003e\u003cli\u003eUpgrade the MicroLogix 1400 firmware to FRN 12 or higher.\u003c/li\u003e\u003cli\u003eBecause of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\u003c/li\u003e\u003cli\u003eWhere possible, disable the Web server and change all default Administrator and Guest passwords.\u003c/li\u003e\u003cli\u003eIf Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as:\u003col\u003e\u003cli\u003eWhen a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\u003c/li\u003e\u003cli\u003eWhen a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eIf Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\n\n\n\n\nTo mitigate the vulnerability with the Web server password authentication mechanism:\n\n * Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.\n * Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\n * Where possible, disable the Web server and change all default Administrator and Guest passwords.\n * If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: * When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\n * When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\n\n * If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6437",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T22:05:18.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6438 (GCVE-0-2012-6438)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 21:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\n\n\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T21:47:52.993Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "EXTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Input Validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n * Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n * Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6438",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T21:47:52.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6440 (GCVE-0-2012-6440)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 22:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T22:03:01.214Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "INTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Input Validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eTo mitigate the vulnerability with the Web server password authentication mechanism:\u003c/p\u003e\u003col\u003e\u003cli\u003eUpgrade the MicroLogix 1400 firmware to FRN 12 or higher.\u003c/li\u003e\u003cli\u003eBecause of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\u003c/li\u003e\u003cli\u003eWhere possible, disable the Web server and change all default Administrator and Guest passwords.\u003c/li\u003e\u003cli\u003eIf Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as:\u003col\u003e\u003cli\u003eWhen a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\u003c/li\u003e\u003cli\u003eWhen a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eIf Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\n\n\n\n\nTo mitigate the vulnerability with the Web server password authentication mechanism:\n\n * Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.\n * Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\n * Where possible, disable the Web server and change all default Administrator and Guest passwords.\n * If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: * When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\n * When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\n\n * If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6440",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T22:03:01.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6436 (GCVE-0-2012-6436)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 21:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.\n\n\n\n\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T21:59:03.474Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "EXTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Input Validation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n * Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n * Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6436",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T21:59:03.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6435 (GCVE-0-2012-6435)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 21:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\n\n\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T21:37:15.940Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "EXTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n * Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n * Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6435",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T21:37:15.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6439 (GCVE-0-2012-6439)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When an affected
product receives a valid CIP message from an unauthorized or unintended
source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port
44818/UDP that changes the product’s configuration and network
parameters, a DoS condition can occur. This situation could cause loss
of availability and a disruption of communication with other connected
devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen an affected \nproduct receives a valid CIP message from an unauthorized or unintended \nsource to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port \n44818/UDP that changes the product\u2019s configuration and network \nparameters, a DoS condition can occur. This situation could cause loss \nof availability and a disruption of communication with other connected \ndevices.\u003c/span\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When an affected \nproduct receives a valid CIP message from an unauthorized or unintended \nsource to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port \n44818/UDP that changes the product\u2019s configuration and network \nparameters, a DoS condition can occur. This situation could cause loss \nof availability and a disruption of communication with other connected \ndevices.\u00a0\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T21:33:10.902Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "EXTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n * Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n * Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6439",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T21:33:10.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6441 (GCVE-0-2012-6441)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 21:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality.\n\n\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T21:43:45.657Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "INTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Information Exposure",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n * Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n * Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6441",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T21:43:45.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6442 (GCVE-0-2012-6442)
Vulnerability from cvelistv5
Published
2013-01-24 21:00
Modified
2025-06-30 21:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rockwell Automation | 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules |
Version: All |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix L32E and L35E controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1788-ENBT FLEXLogix adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "1794-AENTR FLEX I/O EtherNet/IP adapter",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CompactLogix and SoftLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ControlLogix and GuardLogix controllers",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MicroLogix",
"vendor": "Rockwell Automation",
"versions": [
{
"status": "affected",
"version": "1100"
},
{
"status": "affected",
"version": "1400"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n Santamarta of IOActive identified vulnerabilities in Rockwell Automation\u2019s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\u003c/span\u003e\n\n\u003c/p\u003e\u003cp\u003eRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400\u0026nbsp;\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-30T21:35:27.283Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAccording to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\"\u003ehttps://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on security with Rockwell Automation products, please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"source": {
"advisory": "ICSA-13-011-03",
"discovery": "EXTERNAL"
},
"title": "Rockwell Automation ControlLogix PLC Improper Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\u003c/p\u003e\u003cp\u003eTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\u003c/p\u003e\u003col\u003e\u003cli\u003eBlock all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\u003c/li\u003e\u003cli\u003eEmploy a UTM appliance that specifically supports CIP message filtering.\u003c/li\u003e\u003c/ol\u003e\n\n\u003cp\u003eIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\u003c/p\u003e\u003col\u003e\u003cli\u003eEmploy layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\"\u003ehttp://www.ab.com/networks/architectures.html\u003c/a\u003e for comprehensive information about implementing validated architectures designed to deliver these measures.\u003c/li\u003e\u003cli\u003eRestrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\u003c/li\u003e\u003cli\u003eEmploy firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\u003c/li\u003e\u003cli\u003eUse up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\u003c/li\u003e\u003cli\u003eMake sure that software and control system device firmware is patched to current releases.\u003c/li\u003e\u003cli\u003ePeriodically change passwords in control system components and infrastructure devices.\u003c/li\u003e\u003cli\u003eWhere applicable, set the controller key-switch/mode-switch to RUN mode.\u003c/li\u003e\u003c/ol\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor more information on security with Rockwell Automation products, please refer to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\"\u003eRockwell\u2019s Security Advisory Index\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\nTo mitigate the vulnerabilities pertaining to receiving valid CIP packets:\n\n * Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).\n * Employ a UTM appliance that specifically supports CIP message filtering.\n\n\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2012-6439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf",
"refsource": "MISC",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2012-6442",
"datePublished": "2013-01-24T21:00:00Z",
"dateReserved": "2012-12-26T00:00:00Z",
"dateUpdated": "2025-06-30T21:35:27.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…