CVE-2010-5305
📋 TL;DR
This vulnerability exposes the password protection mechanism in Rockwell PLC5/SLC5/0x/RSLogix 1785-Lx and 1747-L5x controllers, allowing unauthorized programming clients to bypass authentication and modify controller configurations or programs. It affects industrial control systems using these specific Rockwell Automation controllers with vulnerable firmware versions.
💻 Affected Systems
- Rockwell PLC5/SLC5/0x/RSLogix 1785-Lx controllers
- Rockwell 1747-L5x controllers
📦 What is this software?
Plc5 1785 Lx Firmware by Rockwellautomation
Rslogix by Rockwellautomation
Slc5\/01 1747 L5x Firmware by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control of industrial controllers, potentially modifying safety-critical logic, disrupting manufacturing processes, causing equipment damage, or creating hazardous conditions in industrial environments.
Likely Case
Unauthorized configuration changes leading to production downtime, process manipulation, or data integrity issues in industrial control systems.
If Mitigated
Limited impact if controllers are isolated in segmented networks with proper access controls and monitoring, though the vulnerability still exists.
🎯 Exploit Status
The vulnerability allows bypassing password protection without authentication, making exploitation straightforward for attackers with network access to controllers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions with enhanced security functionality compatible with FactoryTalk Security services
Vendor Advisory: http://rockwellautomation.custhelp.com/app/answers/detail/a_id/66684/kw/vulnerability/r_id/115100
Restart Required: Yes
Instructions:
1. Identify affected controller models and current firmware versions. 2. Obtain updated firmware from Rockwell Automation. 3. Backup current controller configurations. 4. Apply firmware update following Rockwell's upgrade procedures. 5. Verify functionality and restore configurations if needed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected controllers in separate network segments with strict access controls.
Access Control Lists
allImplement network ACLs to restrict communication to only authorized programming stations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate controllers from untrusted networks
- Deploy industrial firewalls with deep packet inspection to monitor and control controller communications
🔍 How to Verify
Check if Vulnerable:
Check controller firmware version against Rockwell's advisory and verify if password protection is implemented without FactoryTalk Security integration.Check Version:
Use Rockwell programming software (RSLogix) to connect to controller and check firmware version in controller properties.Verify Fix Applied:
Verify firmware version has been updated to include enhanced security functionality and test that unauthorized programming clients cannot access controllers.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to controller programming ports
- Multiple failed authentication attempts followed by successful access
- Configuration changes from unauthorized IP addresses
Network Indicators:
- Unexpected traffic on controller programming ports (typically 2222, 44818)
- Programming protocol traffic from unauthorized network segments
SIEM Query:
source_ip NOT IN (authorized_programming_stations) AND destination_port IN (2222, 44818) AND protocol = 'CIP'