CVE-2016-9343
published 2017-02-13CVE-2016-9343: An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to…
PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
10.49%
95.2th percentile
An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwellautomation | 1768_compact_guardlogix_l4xs_controller_firmware | — | — |
| rockwellautomation | 1768_compact_guardlogix_l4xs_controller_firmware | — | — |
| rockwellautomation | 1768_compact_guardlogix_l4xs_controller_firmware | — | — |
| rockwellautomation | 1768_compact_guardlogix_l4xs_controller_firmware | — | — |
| rockwellautomation | 1768_compact_guardlogix_l4xs_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1768_compactlogix_l4x_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l1_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l1_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l1_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l1_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l2_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l2_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l2_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l2_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l3_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l3_controller_firmware | — | — |
| rockwellautomation | 1769_compactlogix_5370_l3_controller_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malformed Common Industrial Protocol (CIP) packets targeting Rockwell Automation Logix5000 controllers, which may indicate exploitation attempts of this stack-based buffer overflow vulnerability. ↗
- →Monitor for unexpected controller faults or reboots on Logix5000 devices, which may indicate a non-recoverable fault triggered by exploitation of this vulnerability. ↗
- →Alert on any inbound CIP traffic to Logix5000 controllers on ports 2222 and 44818 originating from outside the Manufacturing Zone or from untrusted network segments. ↗
- ·Firmware versions prior to FRN 16.00 are explicitly NOT affected by this vulnerability; detection and patching efforts should focus only on FRN 16.00 through 21.00. ↗
- ·The FlexLogix controller is discontinued and will not receive a patched firmware; compensating controls (network segmentation, firewall rules) are the only available mitigations for that platform. ↗
- ·Keeping the controller in RUN mode (rather than Remote RUN or Remote Program) reduces the attack surface by preventing additional disruptive changes, but does not fully remediate the vulnerability. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-72wj-rc4p-79mm: An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16
ghsa_unreviewed·2022-05-13
CVE-2016-9343 [CRITICAL] CWE-787 GHSA-72wj-rc4p-79mm: An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16
An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.
CISA ICS
Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability (Update B)
cisa_ics·2017-02-14
Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability (Update B)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability (Update B)
Last RevisedSeptember 18, 2018
Alert CodeICSA-16-343-05
## 1. EXECUTIVE SUMMARY
-
CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: Logix5000
- Vulnerability: Stack-based Buffer Overflow
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the previously updated advisory titled ICSA-16-343-05A Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability (Upd
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-02-13
Published