PatchSiren cyber security CVE debrief
CVE-2024-5659 Rockwell Automation CVE debrief
A vulnerability in Rockwell Automation ControlLogix, GuardLogix, and CompactLogix controllers allows an unauthenticated attacker on the same network to trigger a major nonrecoverable fault (MNRF/Assert) by sending abnormal packets to the mDNS port (UDP 5353). Successful exploitation causes complete loss of device availability. The vulnerability affects six product lines across multiple firmware versions, with patches available that correct the mDNS packet handling flaw. CISA published this advisory on June 11, 2024.
- Vendor
- Rockwell Automation
- Product
- ControlLogix 5580
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating Rockwell Automation ControlLogix 5580, GuardLogix 5580, 1756-EN4, CompactLogix 5380, Compact GuardLogix 5380, or CompactLogix 5480 controllers in industrial environments. Critical infrastructure operators, manufacturing facilities, and any sites using these controllers for process control should prioritize patching or implementing network-level mitigations.
Technical summary
The vulnerability exists in the mDNS (Multicast DNS) implementation of affected Rockwell Automation controllers. An attacker on the same network segment can send malformed packets to UDP port 5353, causing all affected controllers on that network to enter a major nonrecoverable fault (MNRF/Assert) state. This results in complete loss of availability with no confidentiality or integrity impact. The attack requires no authentication or user interaction and can affect multiple devices simultaneously due to the multicast nature of mDNS. Firmware updates correct the packet parsing logic to prevent the fault condition.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade affected controllers to corrected firmware versions: ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, Compact GuardLogix 5380, and CompactLogix 5480 to V34.014, V35.013, V36.011 or later; 1756-EN4 to V6.001
- If automatic policy deployment (APD) is not used, block UDP port 5353 (mDNS) at network boundaries to prevent exploitation
- Enable CIP Security on affected devices where supported
- Apply network segmentation to isolate industrial control systems from untrusted networks
- Monitor for unexpected controller faults or MNRF events as potential indicators of exploitation attempts
Evidence notes
CISA CSAF advisory ICSA-24-163-01 published 2024-06-11 documents this vulnerability. CVSS 3.1 score of 7.4 (HIGH) with vector AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H indicates attack from adjacent network, low complexity, no privileges required, no user interaction, scope change, high availability impact. Six affected products identified: ControlLogix 5580, GuardLogix 5580, 1756-EN4, CompactLogix 5380, Compact GuardLogix 5380, and CompactLogix 5480. Vendor fixes specified for each product line.
Official resources
-
CVE-2024-5659 CVE record
CVE.org
-
CVE-2024-5659 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11