Full Report
Remote attackers could cause a denial-of-service condition in Allen-Bradley CompactLogix and Compact GuardLogix controllers by exploiting a vulnerability in these devices
Analysis Summary
# Vulnerability: Remote Denial of Service in Rockwell Automation Allen-Bradley Controllers
## CVE Details
- **CVE ID:** CVE-2018-10619
- **CVSS Score:** 8.6 (High)
- **CWE:** CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- Allen-Bradley CompactLogix 5370
- Allen-Bradley Compact GuardLogix 5370
- **Versions:**
- All versions prior to v30.014
- **Configurations:** Devices with EtherNet/IP connectivity enabled.
## Vulnerability Description
The vulnerability exists in the way affected controllers process specific network packets. An improper input validation flaw allows a remote, unauthenticated attacker to send a specially crafted packet to the device. This causes the controller to experience a major non-recoverable fault (MNRF), resulting in a Denial of Service (DoS) condition where the device stops executing logic and enters an error state. Physical intervention (e.g., a power cycle or manual reset) is typically required to restore service.
## Exploitation
- **Status:** Not exploited in the wild at time of reporting; PoC available to researchers.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Total loss of controller availability/logic execution)
## Remediation
### Patches
Rockwell Automation has released updated firmware versions to address this flaw.
- **CompactLogix 5370 / Compact GuardLogix 5370:** Upgrade to **v30.014** or later.
- For users of older major revisions (e.g., v20-v29), refer to the Rockwell Automation Product Compatibility and Download Center (PCDC) for the most recent security-hardened sub-versions.
### Workarounds
- **Network Segmentation:** Ensure the ICS/PLC network is not directly accessible from the internet.
- **Port Filtering:** Block incoming traffic on EtherNet/IP ports (TCP/UDP 44818 and UDP 2222) from unauthorized sources.
- **Physical Switch:** Place the controller mode switch in "Run" mode to prevent some types of unauthorized configuration changes, though this may not fully mitigate packet-based DoS.
## Detection
- **Indicators of Compromise:**
- Controller unexpectedly entering a "Major Fault" state.
- Loss of communication with the HMI/SCADA system.
- Presence of unusual EtherNet/IP traffic or malformed packets logged by an Intrusion Detection System (IDS).
- **Detection methods and tools:**
- Use Industrial Control System (ICS) firewalls with Deep Packet Inspection (DPI) to monitor for malformed EtherNet/IP traffic.
- Review controller diagnostic logs for fault codes associated with MNRF.
## References
- **Vendor Advisory:** [https://rockwellautomation.custhelp[.]com/app/answers/detail/a_id/1075059]
- **ICS-CERT (CISA) Advisory:** [https://www.cisa[.]gov/news-events/ics-advisories/icsa-18-179-01]
- **Kaspersky ICS CERT:** [https://ics-cert.kaspersky[.]com/publications/reports/2018/06/27/dos-vulnerability-in-allen-bradley-compactlogix-and-compact-guardlogix-controllers/]