CVE-2012-6437

Rockwellautomation Controllogix Controllers - Authentication Bypass

Title source: rule

Description

The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

References (6)

[Various Sources] http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102

[Various Sources] https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154

[Various Sources] https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155

[Various Sources] https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156

[US Government Resource] http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03

Scores

EPSS 0.1182

EPSS Percentile 93.6%

Classification

CWE

CWE-287

Status draft

Affected Products (17)

rockwellautomation/controllogix_controllers < 20

rockwellautomation/guardlogix_controllers < 20

rockwellautomation/micrologix < 1100

rockwellautomation/softlogix_controllers < 19

rockwellautomation/1756-enbt

rockwellautomation/1756-eweb

rockwellautomation/1768-enbt

rockwellautomation/1768-eweb

rockwellautomation/1794-aentr_flex_i\/o_ethernet\/ip_adapter

rockwellautomation/compactlogix < 18

rockwellautomation/compactlogix_controllers < 19

rockwellautomation/compactlogix_l32e_controller

rockwellautomation/compactlogix_l35e_controller

rockwellautomation/controllogix < 18

rockwellautomation/flexlogix_1788-enbt_adapter

... and 2 more

Timeline

Published Jan 24, 2013

Tracked Since Feb 18, 2026