CVE-2012-6436

Rockwell Automation ControlLogix PLC Improper Input Validation

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows remote attackers to cause a denial of service (CPU crash and communication outage) via a malformed CIP packet.

Desbordamiento de búfer en varios productos Rockwell Automation EtherNet/IP; 1756-ENBT, 1756-EWEB, 1768-ENBT, y 1768-EWEB; controladores CompactLogix L32E y L35E; adaptodor 1788-ENBT FLEXLogix; adaptador 1794-AENTR FLEX I/O EtherNet/IP; ControlLogix 18 y anteriores; CompactLogix 18 y anteriores; GuardLogix 18 y anteriores; SoftLogix 18 y anteriores; CompactLogix 19 y anteriores; SoftLogix 19 y anteriores; ControlLogix 20 y anteriores; GuardLogix 20 y anteriores; y MicroLogix 1100 y 1400, permite a atacantes remotos provocar una denegación de servicio (caída de CPU y agotamiento de la comunicación) a través de un paquete CIP mal formado.

The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

*Credits: Rubén Santamarta of IOActive identified vulnerabilities in Rockwell Automation’s ControlLogix PLC and released proof-of-concept (exploit) code at the Digital Bond S4 Conference on January 19, 2012.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-12-26 CVE Reserved
2013-01-24 CVE Published
2025-06-30 CVE Updated
2025-11-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (6)

URL	Tag	Source
http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf	Us Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154
https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155
https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156
http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Rockwellautomation Search vendor "Rockwellautomation"		Controllogix Controllers Search vendor "Rockwellautomation" for product "Controllogix Controllers"				<= 20 Search vendor "Rockwellautomation" for product "Controllogix Controllers" and version " <= 20"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Guardlogix Controllers Search vendor "Rockwellautomation" for product "Guardlogix Controllers"				<= 20 Search vendor "Rockwellautomation" for product "Guardlogix Controllers" and version " <= 20"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Micrologix Search vendor "Rockwellautomation" for product "Micrologix"				<= 1100 Search vendor "Rockwellautomation" for product "Micrologix" and version " <= 1100"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Micrologix Search vendor "Rockwellautomation" for product "Micrologix"				<= 1400 Search vendor "Rockwellautomation" for product "Micrologix" and version " <= 1400"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Softlogix Controllers Search vendor "Rockwellautomation" for product "Softlogix Controllers"				<= 19 Search vendor "Rockwellautomation" for product "Softlogix Controllers" and version " <= 19"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		1756-enbt Search vendor "Rockwellautomation" for product "1756-enbt"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		1756-eweb Search vendor "Rockwellautomation" for product "1756-eweb"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		1768-enbt Search vendor "Rockwellautomation" for product "1768-enbt"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		1768-eweb Search vendor "Rockwellautomation" for product "1768-eweb"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		1794-aentr Flex I\/o Ethernet\/ip Adapter Search vendor "Rockwellautomation" for product "1794-aentr Flex I\/o Ethernet\/ip Adapter"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Compactlogix Search vendor "Rockwellautomation" for product "Compactlogix"				<= 18 Search vendor "Rockwellautomation" for product "Compactlogix" and version " <= 18"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Compactlogix Controllers Search vendor "Rockwellautomation" for product "Compactlogix Controllers"				<= 19 Search vendor "Rockwellautomation" for product "Compactlogix Controllers" and version " <= 19"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Compactlogix L32e Controller Search vendor "Rockwellautomation" for product "Compactlogix L32e Controller"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Compactlogix L35e Controller Search vendor "Rockwellautomation" for product "Compactlogix L35e Controller"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Controllogix Search vendor "Rockwellautomation" for product "Controllogix"				<= 18 Search vendor "Rockwellautomation" for product "Controllogix" and version " <= 18"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Flexlogix 1788-enbt Adapter Search vendor "Rockwellautomation" for product "Flexlogix 1788-enbt Adapter"				-		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Guardlogix Search vendor "Rockwellautomation" for product "Guardlogix"				<= 18 Search vendor "Rockwellautomation" for product "Guardlogix" and version " <= 18"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Softlogix Search vendor "Rockwellautomation" for product "Softlogix"				<= 18 Search vendor "Rockwellautomation" for product "Softlogix" and version " <= 18"		-		Affected