ICS-CERT ADVISORY 
ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE VULNERABILITY 
October 06, 2011 
OVERVIEW 
This Updated Advisory is a follow-up to the original Advisory titled “ICSA-11-273-03—Rockwell 
RSLogix denial-of-Service Vulnerability” that was published September 30, 2011 on the ICS-CERT web 
page. 
ICS-CERT is aware of a public report of a denial-of-service vulnerability in Rockwell Automation’s 
RSLogix application.  
--------- Begin Update X Part 1 of 2 -------- 
Rockwell has produced a patch that mitigates this vulnerability for all affected versions of FactoryTalk 
Services Platform and RSLogix 5000. 
--------- End Update X Part 1 of 2 ---------- 
AFFECTED PRODUCTS 
According to Rockwell Automation, the following products are affected: 
• RSLogix 5000 software Versions V17, V18, and V19 
• All FactoryTalk-branded software of specific Versions CPR9 and CPR9-SR1 through SR4.  
IMPACT 
Successful exploitation of this vulnerability could result in a denial-of-service. 
Impact to individual organizations depends on many factors that are unique to each organization. 
ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their 
operational environment, architecture, and product implementation.  
BACKGROUND 
Rockwell Automation provides industrial automation control and information products worldwide, across 
a wide range of industries.  
RSLogix 5000 is a programming suite used to develop interfaces within the control system environment. 
The FactoryTalk Services Platform is a collection of production and performance management systems.  
 
ICS-CERT Advisory ICSA-11-273-03A  Page 1 of 3 
  
VULNERABILITY CHARACTERIZATION 
VULNERABILITY OVERVIEW 
A Read Access violation can occur when a specially crafted packet is sent to open ports running the 
software.  The open TCP ports are as follows: 
• 1330 
• 4242 
• 6543 
• 1331 
• 4445 
• 9111 
• 1332 
• 4446 
• 60093 
• 4241 
• 5241 
• 49281 
a
 A 
CVE-2011-3489 has been assigned to this vulnerability in the National Vulnerability Database (NVD).
CVSS base score of 5.0 has been assigned. 
VULNERABILITY DETAILS 
EXPLOITABILITY 
This vulnerability is remotely exploitable. 
EXISTENCE OF EXPLOIT 
Public exploits are known to target this vulnerability.  
DIFFICULTY 
An attacker with a low skill level can create the denial-of-service. 
MITIGATION 
--------- Begin Update X Part 2 of 2 -------- 
Rockwell Automation recommends that concerned customers using FactoryTalk Services Platform 
Versions CPR9 and CPR9-SR1 through SR4 and customers using RSLogix versions V17, V18, and V19 
b
apply patch AID 458689.
 
Customers using FactoryTalk Services Platform CPR7 and earlier, and RSLogix 5000 V16 and earlier, 
are not affected by this vulnerability. 
For full patching instructions and additional information, refer to Rockwell Automation Security 
Advisory KB 456144. 
http://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144. 
--------- End Update X Part 2 of 2 ---------- 
                                                      
a
. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3489, website last accessed October 06, 2011. 
b. http://rockwellautomation.custhelp.com/app/answers/detail/a_id/458689, website last accessed October 06, 2011. 
 
ICS-CERT Advisory ICSA-11-273-03A  Page 2 of 3 
  
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and 
other cybersecurity risks. 
• Minimize network exposure for all control system devices. Critical devices should not directly face 
the Internet. 
• Locate control system networks and remote devices behind firewalls, and isolate them from the 
business network. 
• When remote access is required, use secure methods such as Virtual Private Networks (VPNs), 
recognizing that VPN is only as secure as the connected devices. 
The Control Systems Security Program (CSSP) also provides a section for control system security 
recommended practices on the CSSP web page. Several recommended practices are available for reading 
and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth 
c
 
Strategies.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior 
to taking defensive measures. 
Organizations observing any suspected malicious activity should follow their established internal 
procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.  
ICS-CERT CONTACT 
For any questions related to this report, please contact ICS-CERT at: 
ics-cert@dhs.gov 
E-mail: 
Toll Free: 1-877-776-7585 
For CSSP Information and Incident Reporting: 
www.ics-cert.org 
DOCUMENT FAQ 
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit 
feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity 
with the potential to impact critical infrastructure computing networks 
When is vulnerability attribution provided to researchers? Attribution for vulnerability 
discovery is provided when prior coordination has occurred with either the vendor, ICS-CERT, or other 
coordinating entity. ICS-CERT encourages researchers to coordinate vulnerability details before public 
release. The public release of vulnerability details prior to the development of proper mitigations may put 
industrial control systems (ICSs) and the public at avoidable risk.  
                                                      
c. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last 
accessed October 06, 2011. 
 
ICS-CERT Advisory ICSA-11-273-03A  Page 3 of 3 

##</code><code>##

if( $stdout =~ /(?:OVERVIEW|SUMMARY)(.+)(?:AFFECTED\sPRODUCTS|BACKGROUND)/s ) {
                        print "$1\n";
                }

##</code><code>##

This Updated Advisory is a follow-up to the original Advisory titled “ICSA-11-273-03—Rockwell 
RSLogix denial-of-Service Vulnerability” that was published September 30, 2011 on the ICS-CERT web 
page. 
ICS-CERT is aware of a public report of a denial-of-service vulnerability in Rockwell Automation’s 
RSLogix application.  
--------- Begin Update X Part 1 of 2 -------- 
Rockwell has produced a patch that mitigates this vulnerability for all affected versions of FactoryTalk 
Services Platform and RSLogix 5000. 
--------- End Update X Part 1 of 2 ---------- 
AFFECTED PRODUCTS 
According to Rockwell Automation, the following products are affected: 
• RSLogix 5000 software Versions V17, V18, and V19 
• All FactoryTalk-branded software of specific Versions CPR9 and CPR9-SR1 through SR4.  
IMPACT 
Successful exploitation of this vulnerability could result in a denial-of-service. 
Impact to individual organizations depends on many factors that are unique to each organization. 
ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their 
operational environment, architecture, and product implementation.  

##</code><code>##

This Updated Advisory is a follow-up to the original Advisory titled “ICSA-11-273-03—Rockwell 
RSLogix denial-of-Service Vulnerability” that was published September 30, 2011 on the ICS-CERT web 
page. 
ICS-CERT is aware of a public report of a denial-of-service vulnerability in Rockwell Automation’s 
RSLogix application.  
--------- Begin Update X Part 1 of 2 -------- 
Rockwell has produced a patch that mitigates this vulnerability for all affected versions of FactoryTalk 
Services Platform and RSLogix 5000. 
--------- End Update X Part 1 of 2 ----------