CVE-2024-6077
📋 TL;DR
A denial-of-service vulnerability in Rockwell Automation products allows attackers to send specially crafted packets to the CIP Security Object, causing the device to become unavailable and require a factory reset. This affects industrial control systems using vulnerable Rockwell Automation products. Organizations using these devices in operational technology environments are at risk.
💻 Affected Systems
- Rockwell Automation products with CIP Security Object functionality
📦 What is this software?
1756 En4 Firmware by Rockwellautomation
Compact Guardlogix 5380 Sil 2 Firmware by Rockwellautomation
View all CVEs affecting Compact Guardlogix 5380 Sil 2 Firmware →
Compact Guardlogix 5380 Sil 3 Firmware by Rockwellautomation
View all CVEs affecting Compact Guardlogix 5380 Sil 3 Firmware →
Compactlogix 5380 Firmware by Rockwellautomation
Compactlogix 5480 Firmware by Rockwellautomation
Controllogix 5580 Firmware by Rockwellautomation
Guardlogix 5580 Firmware by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Critical industrial control system becomes completely unavailable, requiring physical factory reset and causing extended operational downtime in manufacturing or critical infrastructure.
Likely Case
Targeted device becomes unresponsive, requiring maintenance intervention and causing temporary disruption to industrial processes.
If Mitigated
Network segmentation and proper firewall rules prevent malicious packets from reaching vulnerable devices, minimizing operational impact.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to the CIP Security Object, which is network-based and doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Rockwell advisory SD1963 for specific fixed versions per product
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1963.html
Restart Required: Yes
Instructions:
1. Review Rockwell advisory SD1963 for affected products. 2. Download appropriate firmware updates from Rockwell support portal. 3. Follow Rockwell's firmware update procedures for your specific device. 4. Test in non-production environment first. 5. Apply during maintenance window as restart is required.
🔧 Temporary Workarounds
Network Segmentation
allIsolate vulnerable devices in separate network segments with strict firewall rules
Access Control Lists
allImplement ACLs to restrict access to CIP Security Object ports from trusted sources only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable devices from untrusted networks
- Deploy intrusion detection systems to monitor for malicious CIP traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against affected versions in Rockwell advisory SD1963Check Version:
Device-specific commands vary by Rockwell product; typically through device web interface or Studio 5000 softwareVerify Fix Applied:
Verify firmware version matches or exceeds fixed versions listed in Rockwell advisory📡 Detection & Monitoring
Log Indicators:
- Device becoming unresponsive
- CIP Security Object error messages
- Network connection drops
Network Indicators:
- Unusual traffic patterns to CIP ports
- Malformed CIP packets
- Multiple connection attempts to device
SIEM Query:
source_ip=* AND dest_port IN (44818, 2222) AND protocol=TCP AND packet_size>threshold