cbcvebase.
CVE-2016-9343
published 2017-02-13

CVE-2016-9343: An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to…

PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
10.49%
95.2th percentile
An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.

Affected

85 ranges· showing 25
VendorProductVersion rangeFixed in
rockwellautomation1768_compact_guardlogix_l4xs_controller_firmware
rockwellautomation1768_compact_guardlogix_l4xs_controller_firmware
rockwellautomation1768_compact_guardlogix_l4xs_controller_firmware
rockwellautomation1768_compact_guardlogix_l4xs_controller_firmware
rockwellautomation1768_compact_guardlogix_l4xs_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1768_compactlogix_l4x_controller_firmware
rockwellautomation1769_compactlogix_5370_l1_controller_firmware
rockwellautomation1769_compactlogix_5370_l1_controller_firmware
rockwellautomation1769_compactlogix_5370_l1_controller_firmware
rockwellautomation1769_compactlogix_5370_l1_controller_firmware
rockwellautomation1769_compactlogix_5370_l2_controller_firmware
rockwellautomation1769_compactlogix_5370_l2_controller_firmware
rockwellautomation1769_compactlogix_5370_l2_controller_firmware
rockwellautomation1769_compactlogix_5370_l2_controller_firmware
rockwellautomation1769_compactlogix_5370_l3_controller_firmware
rockwellautomation1769_compactlogix_5370_l3_controller_firmware
rockwellautomation1769_compactlogix_5370_l3_controller_firmware

Detection & IOCsextracted from sources · hover to see the quote

port2222 TCP/UDP
  • Detect malformed Common Industrial Protocol (CIP) packets targeting Rockwell Automation Logix5000 controllers, which may indicate exploitation attempts of this stack-based buffer overflow vulnerability.
  • Monitor for unexpected controller faults or reboots on Logix5000 devices, which may indicate a non-recoverable fault triggered by exploitation of this vulnerability.
  • Alert on any inbound CIP traffic to Logix5000 controllers on ports 2222 and 44818 originating from outside the Manufacturing Zone or from untrusted network segments.
  • ·Firmware versions prior to FRN 16.00 are explicitly NOT affected by this vulnerability; detection and patching efforts should focus only on FRN 16.00 through 21.00.
  • ·The FlexLogix controller is discontinued and will not receive a patched firmware; compensating controls (network segmentation, firewall rules) are the only available mitigations for that platform.
  • ·Keeping the controller in RUN mode (rather than Remote RUN or Remote Program) reduces the attack surface by preventing additional disruptive changes, but does not fully remediate the vulnerability.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.