CVE-2020-6085 – CVE-2020-6085 is a denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2020-6085?

CVE-2020-6085 has a CVSS score of 7.5 (HIGH). CVE-2020-6085 is a denial-of-service vulnerability in Allen-Bradley Flex IO devices where a specially crafted ENIP request with a malformed Electronic Key Segment can cause the device to lose communications. This affects industrial control systems using vulnerable Flex IO 1794-AENT/B modules, potentially disrupting operations.

📋 TL;DR

CVE-2020-6085 is a denial-of-service vulnerability in Allen-Bradley Flex IO devices where a specially crafted ENIP request with a malformed Electronic Key Segment can cause the device to lose communications. This affects industrial control systems using vulnerable Flex IO 1794-AENT/B modules, potentially disrupting operations.

💻 Affected Systems

Products:

Allen-Bradley Flex IO 1794-AENT/B

Versions: 4.003

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using EtherNet/IP protocol for communications in industrial control systems.

📦 What is this software?

Flex I\/o 1794 Aent by Rockwellautomation

View all CVEs affecting Flex I\/o 1794 Aent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of communications with the Flex IO device, disrupting industrial processes and causing operational downtime in critical infrastructure environments.

🟠

Likely Case

Temporary denial of service requiring device reboot to restore functionality, causing production interruptions in manufacturing or industrial settings.

🟢

If Mitigated

Minimal impact if network segmentation and access controls prevent unauthorized access to industrial control networks.

🌐 Internet-Facing: MEDIUM - While industrial devices shouldn't be internet-facing, misconfigurations could expose them, but exploitation requires specific network access.

🏢 Internal Only: HIGH - Within industrial control networks, this vulnerability can be exploited by attackers who gain internal access, causing significant operational disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a single malformed packet to the device's EtherNet/IP port (typically TCP/44818). The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Rockwell Automation for firmware updates

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1127680

Restart Required: Yes

Instructions:

1. Contact Rockwell Automation for firmware updates. 2. Download appropriate firmware from Rockwell support portal. 3. Follow manufacturer's firmware update procedures for Flex IO devices. 4. Test updated firmware in non-production environment first.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate industrial control network from corporate network using firewalls with strict rules

Access Control Lists

all

Implement ACLs to restrict access to EtherNet/IP ports (TCP/44818) to authorized devices only

🧯 If You Can't Patch

Implement strict network segmentation to isolate industrial control systems from other networks
Deploy intrusion detection systems monitoring for malformed ENIP packets on industrial networks

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via Rockwell Automation software or web interface. Version 4.003 is vulnerable.

Check Version:

Use Rockwell Automation's RSLinx or Studio 5000 to check firmware version of 1794-AENT/B modules

Verify Fix Applied:

Verify firmware has been updated to version newer than 4.003 through manufacturer's management tools.

📡 Detection & Monitoring

Log Indicators:

Device communication loss logs
Network timeout errors in SCADA/PLC logs

Network Indicators:

Malformed ENIP packets with Electronic Key Segment < 0x18 bytes
Traffic to TCP/44818 with abnormal packet structure

SIEM Query:

source_port=44818 AND (packet_size < threshold OR protocol_violation=ENIP)

📊 Metadata

CVE ID: CVE-2020-6085

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: October 19, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1006 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1006 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6085, you might also want to check these: