CVE-2020-13573 – A denial-of-service vulnerability in Rockwell A... (How to Fix)

Q: What is the severity of CVE-2020-13573?

CVE-2020-13573 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in Rockwell Automation RSLinx Classic's Ethernet/IP server allows attackers to crash the service by sending specially crafted network packets. This affects industrial control systems using RSLinx Classic for communication with Rockwell PLCs and other devices. The vulnerability requires network access to the vulnerable service.

📋 TL;DR

A denial-of-service vulnerability in Rockwell Automation RSLinx Classic's Ethernet/IP server allows attackers to crash the service by sending specially crafted network packets. This affects industrial control systems using RSLinx Classic for communication with Rockwell PLCs and other devices. The vulnerability requires network access to the vulnerable service.

💻 Affected Systems

Products:

Rockwell Automation RSLinx Classic

Versions: Version 2.57.00.14 CPR 9 SR 3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Ethernet/IP server functionality. Systems using RSLinx Classic for communication with Rockwell devices are vulnerable if the service is running.

📦 What is this software?

Rslinx by Rockwellautomation

View all CVEs affecting Rslinx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of industrial operations by crashing RSLinx Classic, preventing communication with PLCs and causing production downtime.

🟠

Likely Case

Service disruption requiring manual restart of RSLinx Classic, causing temporary production interruptions.

🟢

If Mitigated

Minimal impact if service is isolated and monitored with automatic restart capabilities.

🌐 Internet-Facing: HIGH if exposed to internet, as unauthenticated network packets can trigger the DoS.

🏢 Internal Only: MEDIUM as internal attackers or malware could still exploit it, but requires network access to the service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The Talos report includes technical details that could be used to create exploits. The vulnerability requires sending specific packet sequences to the Ethernet/IP port.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.11.00 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1127683

Restart Required: Yes

Instructions:

1. Download RSLinx Classic 4.11.00 or later from Rockwell Automation website. 2. Backup current configuration. 3. Install the updated version. 4. Restart the system to apply changes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate RSLinx Classic systems from untrusted networks using firewalls or network segmentation.

Service Monitoring and Auto-restart

windows

Configure monitoring to detect RSLinx Classic crashes and automatically restart the service.

sc failure RSLinxClassic reset= 86400 actions= restart/60000/restart/120000/restart/180000

🧯 If You Can't Patch

Implement strict network access controls to limit connections to RSLinx Classic from trusted sources only.
Deploy network intrusion detection systems to monitor for malicious Ethernet/IP packets and alert on suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check RSLinx Classic version via Help > About in the application or check installed programs in Windows.

Check Version:

wmic product where "name like 'RSLinx%'" get version

Verify Fix Applied:

Verify version is 4.11.00 or later and test Ethernet/IP connectivity with legitimate clients.

📡 Detection & Monitoring

Log Indicators:

RSLinx Classic service crash events in Windows Event Log
Unexpected service restarts

Network Indicators:

Multiple malformed Ethernet/IP packets to port 44818
Unusual traffic patterns to RSLinx Classic systems

SIEM Query:

source="windows" AND (event_id=7031 OR event_id=7034) AND service_name="RSLinxClassic"

📊 Metadata

CVE ID: CVE-2020-13573

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-823

Published: January 7, 2021

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1184 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1184 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13573, you might also want to check these: