{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "CompactLogix L32E and L35E controllers", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "1788-ENBT FLEXLogix adapter", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "1794-AENTR FLEX I/O EtherNet/IP adapter", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "ControlLogix, CompactLogix, GuardLogix, and SoftLogix", "vendor": "Rockwell Automation", "versions": [{"lessThanOrEqual": "18", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "CompactLogix and SoftLogix controllers", "vendor": "Rockwell Automation", "versions": [{"lessThanOrEqual": "19", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ControlLogix and GuardLogix controllers", "vendor": "Rockwell Automation", "versions": [{"lessThanOrEqual": "20", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "MicroLogix", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "1100"}, {"status": "affected", "version": "1400"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was discovered by Rockwell Automation engineers as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n\n\n\n\n\n\n\n\n\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.</span>\n\n</p><p>Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400&nbsp;<br></p>"}], "value": "The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"}], "metrics": [{"cvssV2_0": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-06-30T22:03:01.214Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"}, {"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"}, {"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"}, {"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"}, {"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.</p><p>To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:</p><p><a target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154\">https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154</a><br><a target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155\">https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155</a><br><a target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156\">https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156</a></p><p>For more information on security with Rockwell Automation products, please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\">Rockwell\u2019s Security Advisory Index</a>.</p>"}], "value": "According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.\n\nTo mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell\u2019s Advisories at:\n\n https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155 \n https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156 \n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."}], "source": {"advisory": "ICSA-13-011-03", "discovery": "INTERNAL"}, "title": "Rockwell Automation ControlLogix PLC Improper Input Validation", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.</p><p></p>\n\n<p>To mitigate the vulnerability with the Web server password authentication mechanism:</p><ol><li>Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.</li><li>Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.</li><li>Where possible, disable the Web server and change all default Administrator and Guest passwords.</li><li>If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as:<ol><li>When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.</li><li>When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.</li></ol></li><li>If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change</li></ol><p>In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:</p><ol><li>Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to <a target=\"_blank\" rel=\"nofollow\" href=\"http://www.ab.com/networks/architectures.html\">http://www.ab.com/networks/architectures.html</a> for comprehensive information about implementing validated architectures designed to deliver these measures.</li><li>Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.</li><li>Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.</li><li>Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.</li><li>Make sure that software and control system device firmware is patched to current releases.</li><li>Periodically change passwords in control system components and infrastructure devices.</li><li>Where applicable, set the controller key-switch/mode-switch to RUN mode.</li></ol>\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">For more information on security with Rockwell Automation products, please refer to </span><a target=\"_blank\" rel=\"nofollow\" href=\"http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102\">Rockwell\u2019s Security Advisory Index</a><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n<br>"}], "value": "Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.\n\n\n\n\n\nTo mitigate the vulnerability with the Web server password authentication mechanism:\n\n * Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.\n * Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.\n * Where possible, disable the Web server and change all default Administrator and Guest passwords.\n * If Web server functionality is needed, then Rockwell recommends upgrading the product\u2019s firmware to the most current version to have the newest enhanced protections available such as: * When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.\n * When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.\n\n * If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration change\nIn addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices:\n\n * Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.\n * Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.\n * Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.\n * Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets.\n * Make sure that software and control system device firmware is patched to current releases.\n * Periodically change passwords in control system components and infrastructure devices.\n * Where applicable, set the controller key-switch/mode-switch to RUN mode.\n\n\n\n\nFor more information on security with Rockwell Automation products, please refer to Rockwell\u2019s Security Advisory Index http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 ."}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2012-6439", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allow remote attackers to cause a denial of service (control and communication outage) via a CIP message that modifies the (1) configuration or (2) network parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf", "refsource": "MISC", "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T21:28:39.932Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2012-6440", "datePublished": "2013-01-24T21:00:00Z", "dateReserved": "2012-12-26T00:00:00Z", "dateUpdated": "2025-06-30T22:03:01.214Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:controllogix_controllers:*:*:*:*:*:*:*:*", "matchCriteriaId": "37F4D4ED-1915-4155-9F0A-691771AA534B", "versionEndIncluding": "20", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:guardlogix_controllers:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2F8B5EE-C1BA-4CFB-B17F-C59BCDB41503", "versionEndIncluding": "20", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE554CCC-0A46-43D4-8D7D-44200BB7D314", "versionEndIncluding": "1100", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:micrologix:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D3B4218-4483-4FAE-9915-8937F40AED27", "versionEndIncluding": "1400", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:softlogix_controllers:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE7219A5-4759-4143-B89F-869D49CAAFF7", "versionEndIncluding": "19", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:1756-enbt:-:*:*:*:*:*:*:*", "matchCriteriaId": "330E9A05-C869-41B1-BB28-FD2A7C7ED0CE", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:1756-eweb:-:*:*:*:*:*:*:*", "matchCriteriaId": "2AD7D5DB-4A49-421A-8C6C-B9E6DA0A499B", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:1768-enbt:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD44B55C-BDD7-41CC-91A9-F31ED2FC69E2", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:1768-eweb:-:*:*:*:*:*:*:*", "matchCriteriaId": "C91D5245-DED2-469C-A800-62109F8159C9", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:1794-aentr_flex_i\\/o_ethernet\\/ip_adapter:-:*:*:*:*:*:*:*", "matchCriteriaId": "0BD25E6B-6AE1-4B8C-A086-F5E152CAAA60", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:compactlogix:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA199887-E8F7-48EE-B1E0-9EF2E439DACE", "versionEndIncluding": "18", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:compactlogix_controllers:*:*:*:*:*:*:*:*", "matchCriteriaId": "A763D845-B091-47A4-8A29-A1CD19C1E4F2", "versionEndIncluding": "19", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:compactlogix_l32e_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "19B8ED27-2512-4A42-973C-99D300963046", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:compactlogix_l35e_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "7EFC590C-01C1-48D1-A5BE-0F70BE7F36B9", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:controllogix:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FE24B9B-9F7D-4D8F-A674-F04FC9F9F8BC", "versionEndIncluding": "18", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:flexlogix_1788-enbt_adapter:-:*:*:*:*:*:*:*", "matchCriteriaId": "887A3369-548C-42B0-82C5-92CB161D3B7A", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:guardlogix:*:*:*:*:*:*:*:*", "matchCriteriaId": "E98626DD-BC79-473E-B25F-92C9BA12F6DD", "versionEndIncluding": "18", "vulnerable": true}, {"criteria": "cpe:2.3:h:rockwellautomation:softlogix:*:*:*:*:*:*:*:*", "matchCriteriaId": "D83AF504-2845-4022-BA8E-52F4FB773EA4", "versionEndIncluding": "18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product\u2019s Web server to view and alter product configuration and diagnostics information.\n\n\n\nRockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400"}, {"lang": "es", "value": "La funcionalidad de autenticaci\u00f3n web-server en los productos Rockwell Automation EtherNet/IP; m\u00f3dulos de comunicaci\u00f3n 1756-ENBT, 1756-EWEB, 1768-ENBT, y 1768-EWEB; controlodares CompactLogix L32E y L35E; adaptador 1788-ENBT FLEXLogix; adaptador 1794-AENTR FLEX I/O EtherNet/IP; ControlLogix 18 y anteriores; CompactLogix 18 y anteriores; GuardLogix 18 y anteriores; SoftLogix 18 y anteriores; controladores CompactLogix 19 y anteriores; controladores SoftLogix 19 y anteriores; controladores ControlLogix 20 y anteriores; controladores GuardLogix 20 y anteriores; MicroLogix 1100 y 1400 permiten ataques man-in-the-middle conducir ataques de repetici\u00f3n por tr\u00e1fico HTTP."}], "id": "CVE-2012-6440", "lastModified": "2025-06-30T22:15:29.253", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": true}, {"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-01-24T21:55:01.697", "references": [{"source": "[email protected]", "url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"}, {"source": "[email protected]", "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"}, {"source": "[email protected]", "url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"}, {"source": "[email protected]", "url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"}, {"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "[email protected]", "type": "Secondary"}]}

{}