PLCS.net - Interactive Q & A

PLCS.net - Interactive Q & A (http://www.plctalk.net/qanda/index.php)
-   LIVE PLC Questions And Answers (http://www.plctalk.net/qanda/forumdisplay.php?f=2)
-   -   Rockwell's latest vulnerability EtherNet/IP communication DoS (http://www.plctalk.net/qanda/showthread.php?t=118238)

KuulKuum November 8th, 2018 11:30 AM

Rockwell's latest vulnerability EtherNet/IP communication DoS
 
FYI, I received an email a few days ago about RA vulnerability with communication modules denial-of-service as well as ML1400 vulnerability.
Most of the communication modules listed have "No direct mitigation provided"

https://rockwellautomation.custhelp....l/a_id/1081928

The question I have is: WHY it has taken Rockwell so long to even report this type of vulnerability?
The real kicker here is to mitigate these vulnerabilities with their communication modules is to contact a local rep. or sales in order to upgrade to a newer product..$$$$ :mddr:

btw: the current client site that I'm working at has 100s of these comm modules.

Ken Roach November 8th, 2018 11:48 AM

I get it that it's frustrating when firmware writers don't account for all possible attacks and patch only the newest product first.

The most likely way this would be exploited would result in loss of IP connectivity and a physical hunt for affected devices. Yes, I can already imagine more malicious ways to use it if a person had knowledge of the control system.

I'm confident that Rockwell will fix the older 1756-ENBT and 1756-EN2T firmware on pre-Series C modules.

I'm not saying this isn't important or worth taking seriously, only that it's probably not catastrophic as of today.

harryting November 8th, 2018 12:16 PM

I'm not understanding. How is any different than any other manufacturer? Not to down play this specific issue, but just like hundreds of such vulnerabilities notification I get on a monthly basis, if someone get inside your network. Changing the IP address on the controller seems the least of my worries.

Another thing, most vendor does not pro-actively notify users on vulnerability. If you want to be notify as such, subscribe to ICS-CERT's free notification service.

lfe November 8th, 2018 01:20 PM

Ethernet/IP is not a secure protocol, it does not support encryption, authentication etc.

As harryting says, it is much more serious to expose the local network to external intrusions than this related vulnerability

VAN November 8th, 2018 05:24 PM

If someone has access to your network, simply putting another device on the network with the same IP will take down comms (or if you're really clever take a block of IPs down).

I wouldn't say I've got a huge issue with this, someone/thing having access to your process network seems like the bigger issue.

brendan.buchan November 8th, 2018 05:44 PM

Quote:

Originally Posted by lfe (Post 797397)
Ethernet/IP is not a secure protocol, it does not support encryption, authentication etc.

Slightly off topic, but CIP Security over Ethernet/IP has already been developed and is not far away from being released and supported by Rockwell on the new processors and Ethernet cards.

James Mcquade November 8th, 2018 05:54 PM

That's the very reason you need to keep the plant plc side away from the corporate side which has internet !

we have separate networks and sql passing data from one side to the other.
there are only a few of us with the authority to remote into the plc side from offsite and make changes and we keep track of when they log in / out.

james


All times are GMT -5. The time now is 08:55 AM.

.