TRY NOW
Vulnerability

Rockwell Firmware Update Patches Critical Use-After-Free Vulnerability

3 min. read
30/01/2023
By Laura Libeer
Rockwell-Vulnerability-Blog_Image_Base_Featured

⚡ TL;DR | Go Straight to the Rockwell Vulnerability Report

Rockwell Automation has released firmware updates for 14 of its products in response to two critical vulnerabilities in the GoAhead web server. When successfully exploited, the two vulnerabilities could lead to arbitrary code execution, which could in turn compromise sensitive data, or even full system crashes.

CVE-2019-5096 and CVE-2019-5097

The vulnerabilities tracked as CVE-2019-5096 and CWE-2019-5097 received a CVSS v3 base score of 9.8 and 7.5 respectively. CVE-2019-5097 is a denial of service vulnerability located in the GoAhead web server. A malicious actor could cause an infinite loop in the process by sending a specially crafted HTTP request. This could cause the targeted device to crash.

CVE-2019-5096 is a critical use after free vulnerability that exists in how the web server processes requests. An attacker could leverage this issue to execute arbitrary code, again by sending a specially crafted HTTP request. This could in turn compromise sensitive data. You can find more information on these vulnerabilities in Rockwell’s advisory or on this page by the ICS.

Update Vulnerable Rockwell Devices

Rockwell has provided a list of all affected devices, with the vulnerable version as well as the fixed version. You can find the overview listed below as well. In order to protect yourself from the vulnerabilities listed above, you should update to the patched version as soon as possible.

If you are unable to update your firmware, or no update is available, Rockwell advises you take the following steps:

  • Disable the web server if possible. (You can find instructions on how to do so in the user manual in the Rockwell Automation literature library.)
  • Configure firewalls to disallow network communication through HTTP/Port 80.

Discover Vulnerable Devices

Based on the list of vulnerable devices and their fixed versions, our specialists have created a Lansweeper report that will provide you with a list of all devices that are at risk in your environment. This way you have an actionable list of devices that might require a patch.

ModelAffected VersionFixed version
1732E-8CFGM8R/A1.012 /
1732E-IF4M12R/A1.012 /
1732E-IR4IM12R/A1.012 /
1732E-IT4IM12R/A1.012 /
1732E-OF4M12R/A1.012 /
1732E-OB8M8SR/A1.013/
1732E-IB8M8SOER1.012 /
1732E-8IOLM12R2.011 /
1747-AENTR2.002 /
1769-AENTR1.001 1.003 or later 
5069-AEN2TR3.011 Migrate to the 5069-AENTR
1756-EN2TR/Cup to and including 11.001 11.002 or later 
1756-EN2T/Dup to and including 11.001 11.002 or later 
1756-EN2TSC/B10.01 /
1756-EN2TSC/B10.01 /
1756-HIST1G/Aup to and including 3.054 Update to series B v5.104 or C 7.100 or later 
1756-HIST2G/Aup to and including 3.054 Update to series B v5.104 or C 7.100 or later 
1756-HIST2G/Bup to and including 5.103 5.104 or later 
ControlLogix 5580 controllersV28 – V32 V32.016 or later 
GuardLogix 5580 controllersV31 – V32 V32.016 or later 
CompactLogix 5380 controllersV28 – V32 V32.016 or later 
Compact GuardLogix 5380 controllersV31 – V32 V32.016 or later 
CompactLogix 5480 controllersV32 V32.016 or later 
1756- EN2T/D11.001 /
1756-EN2TR/C11.001 11.002 or later 
1765 – EN3TR/B11.001 /
1756-EN2F/C11.001 11.002 or later 
1756-EN2TP/A11.001 11.002 or later 
NO CREDIT CARD REQUIRED

Ready to get started?
You’ll be up and running in no time.

Explore all our features, free for 14 days.