CVE-2016-9343

Q: What is the severity of CVE-2016-9343?

CVE-2016-9343 has a CVSS score of 10.0 (CRITICAL). This vulnerability in Rockwell Automation Logix5000 controllers allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted CIP packets. It affects industrial control systems using FRN 16.00 through 21.00 firmware versions. Successful exploitation could give attackers full control over industrial processes.

10.0 CRITICAL

📋 TL;DR

This vulnerability in Rockwell Automation Logix5000 controllers allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted CIP packets. It affects industrial control systems using FRN 16.00 through 21.00 firmware versions. Successful exploitation could give attackers full control over industrial processes.

💻 Affected Systems

Products:

Rockwell Automation Logix5000 Programmable Automation Controller

Versions: FRN 16.00 through 21.00

Operating Systems: Embedded controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All firmware versions prior to FRN 16.00 are NOT affected. This affects the controller firmware itself, not host operating systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial controller allowing arbitrary code execution, manipulation of physical processes, and persistent access to industrial networks.

🟠

Likely Case

Denial of service causing controller crash and production downtime, requiring physical reset and potential process disruption.

🟢

If Mitigated

Limited impact through network segmentation and proper firewall rules preventing malicious CIP packets from reaching controllers.

🌐 Internet-Facing: HIGH - If controllers are directly exposed to internet, they can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even internally, any network-connected controller is vulnerable to exploitation from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed CIP packets to port 44818/TCP. No authentication required. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FRN 21.01 and later

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-343-05

Restart Required: Yes

Instructions:

1. Download firmware update from Rockwell Automation support portal. 2. Backup current controller configuration. 3. Install firmware update FRN 21.01 or later. 4. Restart controller. 5. Verify firmware version and restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate controllers in separate network segments with strict firewall rules

CIP Packet Filtering

all

Configure firewalls to filter malformed CIP packets on port 44818

🧯 If You Can't Patch

Implement strict network segmentation with industrial DMZ and allow-list only trusted IP addresses for CIP communication
Deploy intrusion detection systems monitoring for malformed CIP packets and anomalous traffic patterns on port 44818

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version via Studio 5000 Logix Designer software or controller web interface

Check Version:

Use Studio 5000 Logix Designer: Right-click controller → Properties → Controller Information → Firmware Revision

Verify Fix Applied:

Verify firmware version is FRN 21.01 or later and test with CIP communication to ensure functionality

📡 Detection & Monitoring

Log Indicators:

Controller fault logs showing unexpected resets
Network logs showing malformed CIP packets to port 44818

Network Indicators:

Unusual CIP traffic patterns
Malformed packet attempts on port 44818/TCP
Traffic from unexpected sources to industrial controllers

SIEM Query:

source_port:44818 AND (packet_size:>1500 OR protocol_anomaly:true)

📊 Metadata

CVE ID: CVE-2016-9343

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: February 13, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/95304 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-343-05 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/95304 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-343-05 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

1768 Compact Guardlogix L4xs Controller Firmware by Rockwellautomation

1768 Compact Guardlogix L4xs Controller Firmware by Rockwellautomation

1768 Compact Guardlogix L4xs Controller Firmware by Rockwellautomation

1768 Compact Guardlogix L4xs Controller Firmware by Rockwellautomation

1768 Compact Guardlogix L4xs Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1768 Compactlogix L4x Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L1 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L1 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L1 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L1 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L2 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L2 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L2 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L2 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L3 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L3 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L3 Controller Firmware by Rockwellautomation

1769 Compactlogix 5370 L3 Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L23x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

1769 Compactlogix L3x Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Controller Firmware by Rockwellautomation

Controllogix 5560 Redundant Controller Firmware by Rockwellautomation

Controllogix 5560 Redundant Controller Firmware by Rockwellautomation

Controllogix 5560 Redundant Controller Firmware by Rockwellautomation

Controllogix 5560 Redundant Controller Firmware by Rockwellautomation

Controllogix 5560 Redundant Controller Firmware by Rockwellautomation

Controllogix 5570 Controller Firmware by Rockwellautomation

Controllogix 5570 Controller Firmware by Rockwellautomation

Controllogix 5570 Controller Firmware by Rockwellautomation

Controllogix 5570 Controller Firmware by Rockwellautomation

Controllogix 5570 Controller Firmware by Rockwellautomation

Controllogix 5570 Redundant Controller Firmware by Rockwellautomation

Controllogix 5570 Redundant Controller Firmware by Rockwellautomation

Controllogix 5570 Redundant Controller Firmware by Rockwellautomation

Controllogix 5570 Redundant Controller Firmware by Rockwellautomation

Controllogix L55 Controller Firmware by Rockwellautomation

Controllogix L55 Controller Firmware by Rockwellautomation

Controllogix L55 Controller Firmware by Rockwellautomation

Flexlogix L34 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation

Guardlogix 5570 Controller Firmware by Rockwellautomation