CVE-2021-33012 – CVE-2021-33012 allows remote, unauthenticated a... (How to Fix)

Q: What is the severity of CVE-2021-33012?

CVE-2021-33012 has a CVSS score of 8.6 (HIGH). CVE-2021-33012 allows remote, unauthenticated attackers to send specially crafted commands that cause Rockwell Automation MicroLogix 1100 PLCs to fault when switched to RUN mode, resulting in a denial-of-service condition. This affects all versions of MicroLogix 1100 controllers, disrupting industrial operations by preventing normal controller operation.

📋 TL;DR

CVE-2021-33012 allows remote, unauthenticated attackers to send specially crafted commands that cause Rockwell Automation MicroLogix 1100 PLCs to fault when switched to RUN mode, resulting in a denial-of-service condition. This affects all versions of MicroLogix 1100 controllers, disrupting industrial operations by preventing normal controller operation.

💻 Affected Systems

Products:

Rockwell Automation MicroLogix 1100

Versions: All versions

Operating Systems: Embedded controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All MicroLogix 1100 controllers are vulnerable in their default configuration when network accessible.

📦 What is this software?

Micrologix 1100 Firmware by Rockwellautomation

View all CVEs affecting Micrologix 1100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial-of-service preventing PLC operation, requiring physical intervention to reset, potentially disrupting industrial processes and causing production downtime.

🟠

Likely Case

Temporary denial-of-service requiring controller reset and manual intervention to restore operation, causing production interruptions.

🟢

If Mitigated

Minimal impact if controllers are isolated from untrusted networks and proper network segmentation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted commands to the controller's network interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01

Restart Required: No

Instructions:

No official patch available. Apply workarounds and network controls as described in CISA advisory.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate MicroLogix 1100 controllers from untrusted networks using firewalls and VLANs

Access Control Lists

all

Implement strict network access controls to limit communication to trusted IP addresses only

🧯 If You Can't Patch

Implement network segmentation to isolate controllers from untrusted networks
Deploy intrusion detection systems to monitor for exploitation attempts
Consider upgrading to newer, supported PLC models if possible

🔍 How to Verify

Check if Vulnerable:

Check if you have MicroLogix 1100 controllers in your environment. All versions are vulnerable.

Check Version:

Check controller firmware version through programming software (RSLogix 500)

Verify Fix Applied:

Verify network segmentation and access controls are properly implemented and tested.

📡 Detection & Monitoring

Log Indicators:

Controller fault logs when switching to RUN mode
Unexpected network traffic to controller ports

Network Indicators:

Unusual traffic patterns to port 44818 (EtherNet/IP)
Crafted packets targeting PLC communication protocols

SIEM Query:

source_ip:external AND dest_port:44818 AND protocol:TCP

📊 Metadata

CVE ID: CVE-2021-33012

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-20

Published: July 9, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33012, you might also want to check these: