CVE-2019-10952
published 2019-05-01CVE-2019-10952: An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.99%
95.0th percentile
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering
CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 - 30 and earlier.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | armor_compact_guardlogix_5370_controllers | < 20 - 30 | 20 - 30 |
| rockwell_automation | compact_guardlogix_5370_controllers | < 20 - 30 | 20 - 30 |
| rockwell_automation | compactlogix_5370_l1_controllers | < 20 - 30 | 20 - 30 |
| rockwell_automation | compactlogix_5370_l2_controllers | < 20 - 30 | 20 - 30 |
| rockwell_automation | compactlogix_5370_l3_controllers | < 20 - 30 | 20 - 30 |
| rockwellautomation | armor_compact_guardlogix_5370_firmware | 20.011 – 30.014 | — |
| rockwellautomation | compactlogix_5370_l1_firmware | 20.011 – 30.014 | — |
| rockwellautomation | compactlogix_5370_l2_firmware | 20.011 – 30.014 | — |
| rockwellautomation | compactlogix_5370_l3_firmware | 20.011 – 30.014 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crafted HTTP/HTTPS requests targeting CompactLogix 5370 web server (ports 80/443) that cause web server unavailability or controller faults — indicative of CVE-2019-10952 exploitation attempt. ↗
- →Alert on CompactLogix 5370 controllers entering a major non-recoverable faulted state (MNRF) following inbound network traffic, as this is a key post-exploitation indicator. ↗
- →Detect and block unsolicited SMTP packets destined for CompactLogix 5370 controllers from unauthorized sources, as crafted SMTP packets are the attack vector for the companion stack-based buffer overflow (CVE-2019-10954). ↗
- →Flag CompactLogix 5370 controllers running firmware versions 20–30 (prior to FRN 31.011) exposed on ports 80, 443, 2222, or 44818 as high-priority targets for patching and network segmentation. ↗
- ·Recovery from exploitation requires a cold restart of the controller; automated recovery is not possible. ↗
- ·No known public exploits were available at time of advisory publication, but the vulnerability is remotely exploitable with low attack complexity and requires no authentication. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation CompactLogix 5370 (Update A)
cisa_ics·2019-04-30·CVSS 9.8
[CRITICAL] Rockwell Automation CompactLogix 5370 (Update A)
ICS Advisory
##
Rockwell Automation CompactLogix 5370 (Update A)
Last RevisedJune 29, 2023
Alert CodeICSA-19-120-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 8.6
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: CompactLogix 5370
- Vulnerabilities: Uncontrolled Resource Consumption, Stack-based Buffer Overflow
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled “ICSA-19-120-01 Rockwell Automation CompactLogix 5370” that was published April 30, 2019, on the ICS webpage on cisa.gov/ICS.
## 3. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to render the web server unavailable and/or place the controller in a major non
GHSA
GHSA-cgc7-wrh2-gfjh: An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based
ghsa_unreviewed·2022-05-24
CVE-2019-10952 [HIGH] CWE-400 GHSA-cgc7-wrh2-gfjh: An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/108118https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979http://www.securityfocus.com/bid/108118https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979
2019-05-01
Published