Latest Vulnerabilities #

Rockwell Automation has disclosed multiple vulnerabilities in their FactoryTalk ThinManager product.

CVE-2024-10386 is rated critical, with a CVSS v4 score of 9.3 and allows attackers with network access to send specially crafted packets that result in database manipulation.

CVE-2024-10387 is rated high, with CVSS v4 score of 8.7 and allows attackers with network access to send specially crafted packets to the device potentially triggering a denial-of-service.

The following versions are currently affected by these vulnerabilities:

  • ThinManager: Versions 11.2.0 to 11.2.9
  • ThinManager: Versions 12.0.0 to 12.0.7
  • ThinManager: Versions 12.1.0 to 12.1.8
  • ThinManager: Versions 13.0.0 to 13.0.5
  • ThinManager: Versions 13.1.0 to 13.1.3
  • ThinManager: Versions 13.2.0 to 13.2.2
  • ThinManager: Version 14.0.0

Are updates or workarounds available? #

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible. In addition, users are advised to limit communications to TCP 2031 to only the devices that need connection to the ThinManager.

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND tcp:2031

CVE-2024-6077 (September 2024) #

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-6077 is rated high, with a CVSS v4 score of 8.7.

Are updates or workarounds available? #

Rockwell Automation has released patches and guidance for affected systems. Users are advised to upgrade as quickly as possible. Users may also disable CIP security on these devices to mitigate the issue.

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

CVE-2024-40619 (August 2024) #

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-40619 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed CIP packet which causes a device to crash and require a manual restart.

Affected Product

First Known in Firmware Revision

Corrected in Firmware Revision

ControlLogix 5580

v34.011

v34.014+

GuardLogix 5580

v34.011

v34.014+

Are updates or workarounds available? #

Rockwell Automation suggests updating devices to the corrected firmware revision.

  • CVE-2024-7515 is rated high with CVSS score of 8.6 and indicates a denial-of-service scenario due to a malformed PTP management packet which causes a device to crash and require a manual restart.
  • CVE-2024-7507 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed PCCC packet which causes a device to crash and require a manual restart.

Rockwell Automation suggests updating devices to the corrected firmware revision. Additionally, they recommend restricting communication to CIP object 103 (0x67).

Affected Product

Firmware Revision Prior To

Corrected in Firmware Revision

CompactLogix 5380 (5069 - L3z)

v36.011, v35.013, v34.014

v36.011, v35.013, v34.014

CompactLogix 5480 (5069 - L4)

v36.011, v35.013, v34.014

v36.011, v35.013, v34.014

ControlLogix 5580 (1756 - L8z)

v36.011, v35.013, v34.014

v36.011, v35.013, v34.014

GuardLogix 5580 (1756 - L8z)

v36.011, v35.013, v34.014

v36.011, v35.013, v34.014

Compact GuardLogix 5380 (5069 - L3zS2)

v36.011, v35.013, v34.014

v36.011, v35.013, v34.014

In all of the cases above users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

CVE-2024-6242 (August 2024) #

On August 1st, 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules products.

CVE-2024-6242 is rated high with CVSS score of 7.3 and allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.

Successful exploitation of these vulnerabilities on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

Are updates or workarounds available? #

Rockwell Automation recommends upgrade devices to apply fixes for the affected devices.

Affected Product

First Known in Firmware Revision

Corrected in Firmware Revision

ControlLogix® 5580 (1756-L8z)

V28

V32.016, V33.015, V34.014,
V35.011 and later

GuardLogix® 5580 (1756-L8zS)

V31

V32.016, V33.015, V34.014,
V35.011 and later

1756-EN4TR

V2

V5.001 and later

1756-EN2T , Series A/B/C

1756-EN2F, Series A/B

1756-EN2TR, Series A/B

1756-EN3TR, Series B

v5.007(unsigned) / v5.027(signed)

No fix is available for Series A/B/C. Users can upgrade to Series D to remediate this vulnerability

1756-EN2T, Series D

1756-EN2F, Series C

1756-EN2TR, Series C

1756-EN3TR, Series B

1756-EN2TP, Series A

1756-EN2T/D: V10.006

1756-EN2F/C: V10.009

1756-EN2TR/C: V10.007

1756-EN3TR/B: V10.007

1756-EN2TP/A: V10.020

V12.001 and later

Additionally, limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

How runZero users found potentially vulnerable systems #

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"1756-EN2" OR hw:"1756-EN3" OR hw:"1756-EN4"

CVE-2024-3493 (April 2024) #

In April 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.

CVE-2024-3493 was rated high with CVSS score of 8.6 and involved a specific malformed fragmented packet type which could cause a major nonrecoverable fault (MNRF) in Rockwell Automation's ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product would become unavailable and require a manual restart to recover it.

What was the impact? #

Successful exploitation of these vulnerabilities resulted in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Rockwell Automation provided software updates for the impacted versions.

Affected ProductFirst Known in Firmware RevisionCorrected in Firmware Revision
ControlLogix® 5580V35.011V35.013, V36.011
GuardLogix 5580V35.011V35.013, V36.011
CompactLogix 5380V35.011V35.013, V36.011
1756-EN4TRV5.001V6.001

How runZero users found potentially vulnerable systems #

From the Asset Inventory, runZero users could use the following query to locate systems running potentially vulnerable software:

hw:"1756-EN4TR"

Rockwell Automation PowerFlex 527 vulnerabilities (March 2024) #

In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.

CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.

CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.

What was the impact? #

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available? #

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable PowerFlex products #

From the Asset Inventory, runZero users used the following query to locate systems running potentially vulnerable software:

hw.product:"powerflex"

Written by Blain Smith

Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks at conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

More about Blain Smith

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find Go SSH servers on your network
How to discover Go SSH instances on your network that may be vulnerable to CVE-2024-45337
Rapid Response
How to find Cleo Harmony, LexiCom, and VLTransfer installations on your network
Cleo Software has disclosed CVE-2024-50623 affecting installations of Cleo Harmony, VLTransfer, and LexiCom on your network. Here's how to find...
Rapid Response
How to find Cisco NX-OS assets on your network
Cisco has released an advisory for a vulnerability found within their NX-OS software. Here's how to find affected assets.
Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved