CVE-2024-6077 Overview
CVE-2024-6077 is a denial-of-service vulnerability affecting multiple Rockwell Automation Logix controllers and the 1756-EN4 communication module. The flaw resides in the handling of the Common Industrial Protocol (CIP) Security Object. An unauthenticated remote attacker can send specially crafted packets to the CIP Security Object and render the device unavailable. Recovery requires a full factory reset, which makes this issue particularly disruptive in operational technology (OT) environments where downtime carries direct safety and production costs. The vulnerability is tracked under [CWE-20] Improper Input Validation.
Critical Impact
A successful attack forces the affected controller offline and requires a factory reset to restore operation, interrupting industrial control processes.
Affected Products
- Rockwell Automation CompactLogix 5380 (firmware 32.011)
- Rockwell Automation Compact GuardLogix 5380 SIL 2 (firmware 32.013) and SIL 3 (firmware 32.011)
- Rockwell Automation CompactLogix 5480, ControlLogix 5580, GuardLogix 5580, and 1756-EN4 communication module
Discovery Timeline
- 2024-09-12 - CVE-2024-6077 published to NVD
- 2024-09-19 - Last updated in NVD database
Technical Details for CVE-2024-6077
Vulnerability Analysis
The vulnerability resides in the CIP Security Object implementation used by Rockwell Automation Logix controllers and the 1756-EN4 module. CIP Security is the secure transport extension to the Common Industrial Protocol used over EtherNet/IP. The affected components fail to properly validate incoming packets targeting the CIP Security Object. When a malformed packet is processed, the device enters an unrecoverable error state. Unlike a transient crash, the controller does not return to service after a power cycle and instead requires a factory reset. That reset wipes configuration and program state, forcing operators to redeploy controller logic and restore network parameters before production resumes.
Root Cause
The root cause is improper input validation [CWE-20] inside the CIP Security Object handler. The firmware accepts attacker-controlled fields without sufficient bounds or state checks. The resulting fault corrupts internal state used by the security subsystem and prevents normal startup recovery paths from running.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with reachability to the controller over EtherNet/IP can deliver crafted CIP packets directly to the CIP Security Object. Because many industrial networks expose controllers on flat subnets or through poorly segmented engineering workstations, the practical exposure is significant when controllers are reachable from outside trusted cell zones.
No verified public proof-of-concept code is available. Refer to the Rockwell Automation Security Advisory SD1963 for vendor technical details.
Detection Methods for CVE-2024-6077
Indicators of Compromise
- Affected controllers transitioning to a faulted or non-responsive state immediately after receiving CIP traffic on TCP/UDP port 44818 or EtherNet/IP port 2222.
- Loss of cyclic I/O communication and unexpected MAJOR faults reported by Logix Designer or FactoryTalk diagnostics.
- Controllers that fail to recover after power cycling and require manual factory reset to come back online.
Detection Strategies
- Monitor EtherNet/IP and CIP traffic for malformed packets targeting the CIP Security Object class code, particularly from unexpected source hosts.
- Correlate controller availability metrics from FactoryTalk AssetCentre or Logix uptime counters with network capture data to identify packet-induced outages.
- Deploy passive OT network monitoring sensors that decode CIP and alert on Security Object messages from non-engineering workstations.
Monitoring Recommendations
- Baseline normal CIP Security Object traffic patterns and alert on deviations or first-seen sources.
- Forward controller diagnostic logs and network telemetry to a centralized SIEM or data lake for cross-correlation with IT-side authentication and access events.
- Track factory reset events as high-severity operational anomalies that warrant root-cause investigation.
How to Mitigate CVE-2024-6077
Immediate Actions Required
- Apply the firmware updates referenced in Rockwell Automation Security Advisory SD1963 for each affected controller and the 1756-EN4 module.
- Inventory all CompactLogix 5380, Compact GuardLogix 5380 SIL 2/SIL 3, CompactLogix 5480, ControlLogix 5580, GuardLogix 5580, and 1756-EN4 devices to confirm firmware versions.
- Restrict network reachability to controller management interfaces from non-engineering systems.
Patch Information
Rockwell Automation has published fixed firmware versions in advisory SD1963. Customers with TechConnect contracts can download updates from the Rockwell Automation Product Compatibility and Download Center. Review the advisory for the exact corrected version that applies to each controller family before scheduling maintenance windows.
Workarounds
- Segment OT networks using ISA/IEC 62443 zone and conduit principles to isolate controllers from enterprise and remote-access networks.
- Deploy firewalls or industrial DMZs that restrict CIP and EtherNet/IP traffic to authorized engineering workstations and HMIs only.
- Disable CIP Security on devices where it is not in active use until patched firmware is deployed, following vendor guidance.
- Maintain offline backups of controller programs and configuration to accelerate recovery if a factory reset becomes necessary.
# Example: block EtherNet/IP CIP traffic from untrusted subnets at an OT firewall
iptables -A FORWARD -s 10.0.0.0/8 -d 192.168.10.0/24 -p tcp --dport 44818 -j DROP
iptables -A FORWARD -s 10.0.0.0/8 -d 192.168.10.0/24 -p udp --dport 2222 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
