CVE-2022-1797 An invalid Class 3 industrial protocol message with a cached connection can cause a denial-of-service in Rockwell Automation Logix Controllers. This is a major nonrecoverable fault.

The issue was revealed when a vendor implemented a new software release in a legacy product and began receiving Class 3 protocol messages with malformed data. The vendor was using a simple caching solution that did not validate the data before it was stored in the cache. When a user sent a Class 3 protocol message with malformed data to the legacy product, the device received the message, stored the connection in its cache, and forwarded the message to the next hop. The vendor’s end users were experiencing a significant amount of downtime when they sent Class 3 protocol messages with malformed data to the device. The vendor implemented a new software release in a different legacy product. When the vendor received new Class 3 protocol messages with malformed data, the legacy system used the same caching solution as the first legacy product. The vendor realized that the caching solution did not validate the data before it was stored in the cache. This allowed the first legacy product to receive the messages with malformed data and cache the connections. When a user sent a Class 3 protocol message with malformed data to the first legacy product, the device received the message, stored the connection in its cache, and forwarded the message to the next hop.

How to Stay Secure While Caching Class 3 Protocol Messages

The vendor used a caching solution that did not validate the data before it was stored in the cache. The vendor realized that the caching solution did not validate the data before it was stored in the cache. To stay secure and ensure that Class 3 protocol messages are never cached, implement an advanced filtering solution or change your caching strategy.

BGP Community malformed data issue

The issue was caused when an operator sent a malformed BGP UPDATE message to their peers. The update contained a 12-byte field in which the first 8 bytes were zero and the last 4 bytes were FF FF FF FF. This is an invalid IPv6 address, so all affected devices discarded the message without processing it. The vendor that received the malformed message did not recognize that it was an invalid entry in a BGP table and attempted to process it by storing the connection in its cache, which resulted in disruption of service for all devices on the path between the source and destination addresses.

Class 3 Protocol Vulnerability

The Class 3 protocol vulnerability was introduced when a vendor implemented a new software release in both legacy products. The vendor did not validate the data before it was stored in the cache and then received Class 3 protocol messages with malformed data.

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/11/2022 00:49:00 UTC

References

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-144-01
• https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1135559
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1797