⚡ TL;DR | Go Straight to the Rockwell Vulnerability Report
Rockwell Automation has released firmware updates for 14 of its products in response to two critical vulnerabilities in the GoAhead web server. When successfully exploited, the two vulnerabilities could lead to arbitrary code execution, which could in turn compromise sensitive data, or even full system crashes.
CVE-2019-5096 and CVE-2019-5097
The vulnerabilities tracked as CVE-2019-5096 and CWE-2019-5097 received a CVSS v3 base score of 9.8 and 7.5 respectively. CVE-2019-5097 is a denial of service vulnerability located in the GoAhead web server. A malicious actor could cause an infinite loop in the process by sending a specially crafted HTTP request. This could cause the targeted device to crash.
CVE-2019-5096 is a critical use after free vulnerability that exists in how the web server processes requests. An attacker could leverage this issue to execute arbitrary code, again by sending a specially crafted HTTP request. This could in turn compromise sensitive data. You can find more information on these vulnerabilities in Rockwell’s advisory or on this page by the ICS.
Update Vulnerable Rockwell Devices
Rockwell has provided a list of all affected devices, with the vulnerable version as well as the fixed version. You can find the overview listed below as well. In order to protect yourself from the vulnerabilities listed above, you should update to the patched version as soon as possible.
If you are unable to update your firmware, or no update is available, Rockwell advises you take the following steps:
- Disable the web server if possible. (You can find instructions on how to do so in the user manual in the Rockwell Automation literature library.)
- Configure firewalls to disallow network communication through HTTP/Port 80.
Discover Vulnerable Devices
Based on the list of vulnerable devices and their fixed versions, our specialists have created a Lansweeper report that will provide you with a list of all devices that are at risk in your environment. This way you have an actionable list of devices that might require a patch.
| Model | Affected Version | Fixed version |
|---|---|---|
| 1732E-8CFGM8R/A | 1.012 | / |
| 1732E-IF4M12R/A | 1.012 | / |
| 1732E-IR4IM12R/A | 1.012 | / |
| 1732E-IT4IM12R/A | 1.012 | / |
| 1732E-OF4M12R/A | 1.012 | / |
| 1732E-OB8M8SR/A | 1.013 | / |
| 1732E-IB8M8SOER | 1.012 | / |
| 1732E-8IOLM12R | 2.011 | / |
| 1747-AENTR | 2.002 | / |
| 1769-AENTR | 1.001 | 1.003 or later |
| 5069-AEN2TR | 3.011 | Migrate to the 5069-AENTR |
| 1756-EN2TR/C | up to and including 11.001 | 11.002 or later |
| 1756-EN2T/D | up to and including 11.001 | 11.002 or later |
| 1756-EN2TSC/B | 10.01 | / |
| 1756-EN2TSC/B | 10.01 | / |
| 1756-HIST1G/A | up to and including 3.054 | Update to series B v5.104 or C 7.100 or later |
| 1756-HIST2G/A | up to and including 3.054 | Update to series B v5.104 or C 7.100 or later |
| 1756-HIST2G/B | up to and including 5.103 | 5.104 or later |
| ControlLogix 5580 controllers | V28 – V32 | V32.016 or later |
| GuardLogix 5580 controllers | V31 – V32 | V32.016 or later |
| CompactLogix 5380 controllers | V28 – V32 | V32.016 or later |
| Compact GuardLogix 5380 controllers | V31 – V32 | V32.016 or later |
| CompactLogix 5480 controllers | V32 | V32.016 or later |
| 1756- EN2T/D | 11.001 | / |
| 1756-EN2TR/C | 11.001 | 11.002 or later |
| 1765 – EN3TR/B | 11.001 | / |
| 1756-EN2F/C | 11.001 | 11.002 or later |
| 1756-EN2TP/A | 11.001 | 11.002 or later |