Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules

Risk Summary

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify system settings and cause a loss of communication between the device and the system.

CVEs (1)

Remediations

• For MicroLogix 1400 Controllers 1766-Lxxx, Series B or C, apply FRN 21.004 and later. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes. See p. 115 of the MicroLogix 1400 Programmable Controllers User Manual (1766-UM001M-EN-P) for details (available at the following location):
• The download for FRN 21.004 can be found at the following location:
• 1756 ControlLogix EtherNet/IP Communications Modules, 1756-ENBT, all versions, 1756-EN2F Series A, all versions, Series B, all versions. 1756-EN2T, Series A, all versions, Series B, all versions, Series C, all versions. 1756-EN2TR Series A, all versions, Series B, all versions. 1756-EN3TR Series A. No direct mitigation provided. See additional mitigating recommendations below for suggested actions.
• 1756 ControlLogix EtherNet/IP Communications Modules, 1756-EN2F, Series C, 1756-EN2T, Series D, 1756-EN2TR, Series C, 1756-EN3TR, Series B. The recommendations are to apply FRN 11.001 and later. Once the new FRN is applied, enable Explicit Protected Mode. See p. 32 of the EtherNet/IP Network Configuration User Manual (ENET-UM001-EN-P) for details. Available at the following location:
• The download for FRN 11.001 can be found at the following location:
• Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
• Consult the product documentation for specific features, such as a hardware key switch setting, which may be used to block unauthorized changes, etc.
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP Ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• For additional information, Rockwell Automation recommends users continue to monitor their advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index at the following location (login required):

Affected Vendors

Affected Products (18)

Affected Sectors

Critical Manufacturing, Food and Agriculture, Transportation Systems, Water and Wastewater Systems