CVE-2020-6086
📋 TL;DR
CVE-2020-6086 is a denial-of-service vulnerability in Allen-Bradley Flex IO 1794-AENT/B devices where a specially crafted ENIP request causes the device to enter a fault state, requiring physical power cycling to restore communications. This affects industrial control systems using these specific devices. Attackers can exploit this remotely via network packets.
💻 Affected Systems
- Allen-Bradley Flex IO 1794-AENT/B
📦 What is this software?
Flex I\/o 1794 Aent\/b Firmware by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of communication with critical industrial control devices requiring physical intervention to restore functionality, potentially disrupting operations.
Likely Case
Targeted denial-of-service attacks against specific industrial devices causing temporary operational disruption.
If Mitigated
Minimal impact if devices are properly segmented and protected from untrusted networks.
🎯 Exploit Status
Exploitation requires sending a single malformed packet; proof-of-concept code is publicly available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Rockwell Automation security advisory for specific firmware versions
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory-summary.html
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download updated firmware from Rockwell Automation. 3. Apply firmware update following vendor instructions. 4. Verify update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks using firewalls and VLANs
Access Control Lists
allRestrict network access to only trusted IP addresses that need to communicate with devices
🧯 If You Can't Patch
- Implement strict network segmentation to isolate devices from untrusted traffic
- Deploy intrusion detection systems to monitor for malformed ENIP packets
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Rockwell Automation security advisory; devices with unpatched firmware are vulnerableCheck Version:
Check device firmware via Rockwell Automation programming software or web interfaceVerify Fix Applied:
Verify firmware version matches patched version specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Device fault state logs
- Communication loss alerts
- Power cycle events
Network Indicators:
- Malformed ENIP packets with Simple Segment Sub-Type followed by oversized Data Size value
- Unexpected traffic to TCP/44818
SIEM Query:
Search for network traffic to port 44818 with payload patterns matching ENIP Simple Segment exploitation