PatchSiren cyber security CVE debrief
CVE-2024-6207 Rockwell Automation CVE debrief
A denial-of-service vulnerability in Rockwell Automation ControlLogix controllers causes a Major Non-Recoverable Fault (MNRF) when processing malformed CIP requests. Exploitation requires chaining with CVE-2021-22681 to send crafted CIP messages, resulting in controller crash and termination of all running processes. Recovery requires a full controller download, disrupting operational technology environments.
- Vendor
- Rockwell Automation
- Product
- ControlLogix 5580
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-10
- Original CVE updated
- 2024-10-10
- Advisory published
- 2024-10-10
- Advisory updated
- 2024-10-10
Who should care
Industrial control system operators, OT security teams, manufacturing engineers, and critical infrastructure defenders using Rockwell Automation ControlLogix, GuardLogix, CompactLogix, or FactoryTalk Logix Echo controllers in production environments.
Technical summary
The vulnerability exists in the CIP (Common Industrial Protocol) request handler of affected Rockwell Automation controllers. When an invalid CIP request is received, the controller enters a Major Non-Recoverable Fault (MNRF) state rather than rejecting the malformed input gracefully. Successful exploitation requires an attacker to first compromise authentication via CVE-2021-22681, then transmit a specially crafted CIP message. The MNRF state terminates all controller processes and connections to connected devices including engineering workstations. Recovery necessitates a controller download operation, which ends any running industrial processes and requires physical or remote access to the affected device.
Defensive priority
HIGH
Recommended defensive actions
- Apply firmware updates to V33.017, V34.014, V35.013, or V36.011 for all affected ControlLogix, GuardLogix, CompactLogix, and FactoryTalk Logix Echo controllers
- Review and implement Rockwell Automation security best practices for industrial control systems
- Segment control system networks from enterprise IT and internet-facing systems to limit CIP message exposure
- Monitor for indicators of CVE-2021-22681 exploitation as prerequisite attack vector
- Establish controller backup and recovery procedures to minimize downtime from MNRF events
- Validate controller firmware versions during maintenance windows and prior to production deployment
Evidence notes
CISA ICS Advisory ICSA-24-284-20 published 2024-10-10 documents this vulnerability with CVSS 3.1 score 7.5 (HIGH). Advisory confirms eight affected product lines across ControlLogix, GuardLogix, CompactLogix, and FactoryTalk Logix Echo families. Remediation requires firmware updates to V33.017, V34.014, V35.013, or V36.011.
Official resources
-
CVE-2024-6207 CVE record
CVE.org
-
CVE-2024-6207 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-10