This release includes security enhancements as a part of our ongoing efforts to improve security. For information regarding Rockwell Automation's vulnerability disclosure process, please reference the Rockwell Automation Vulnerability Policy.
CVE 2024-5659: Multicast Request Causes Major Nonrecoverable Fault on Select Controllers
Controllers and Communication
Modules
|
First Known in
Firmware Revision
|
Corrected in Firmware Revision
|
CompactLogix™ 5380
|
34.011
|
V34.014, V35.013, V36.011 and later
|
Compact GuardLogix® 5380 SIL 2
|
34.011
|
V34.014, V35.013, V36.011 and later
|
Compact GuardLogix 5380 SIL 3
|
34.011
|
V34.014, V35.013, V36.011 and later
|
CompactLogix 5380 Process
|
34.011
|
V34.014, V35.013, V36.011 and later
|
CompactLogix 5480
|
34.011
|
V34.014, V35.013, V36.011 and later
|
ControlLogix® 5580
|
34.011
|
V34.014, V35.013, V36.011 and later
|
GuardLogix 5580
|
34.011
|
V34.014, V35.013, V36.011 and later
|
ControlLogix 5580 Process
|
34.011
|
V34.014, V35.013, V36.011 and later
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT
|
4.001
|
6.001 and later
|
For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Security Advisory ControlLogix and GuardLogix Vulnerable to Multicast Request Causes major nonrecoverable fault on Select Controllers.
This release includes security enhancements as a part of our ongoing efforts to improve security. For information regarding Rockwell Automation's vulnerability disclosure process, please reference the Rockwell Automation Vulnerability Policy.
CVE-2024-3493: Logix Controllers and Communication Modules Vulnerable to MNRF Due to Invalid Header Value
Controllers and Communication
Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
CompactLogix™ 5380
|
35.011
|
35.013, 36.011 and later
|
Compact GuardLogix® 5380 SIL 2
|
35.011
|
35.013, 36.011 and later
|
Compact GuardLogix 5380 SIL 3
|
35.011
|
35.013, 36.011 and later
|
CompactLogix 5380 Process
|
35.011
|
35.013, 36.011 and later
|
CompactLogix 5480
|
35.011
|
35.013, 36.011 and later
|
ControlLogix® 5580
|
35.011
|
35.013, 36.011 and later
|
GuardLogix 5580
|
35.011
|
35.013, 36.011 and later
|
ControlLogix 5580 Process
|
35.011
|
35.013, 36.011 and later
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT
|
5.001
|
6.001 and later
|
For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Security Advisory ControlLogix and GuardLogix Vulnerable to major nonrecoverable fault due to Invalid Header Value.
This release has the following requirements.
This release includes the following system features.
This release includes the following system features.
This release corrects the following anomalies.
Catalog Numbers:
1756-EN4TR cannot be configured to appear in SNMP scan (Lgx00229065)
Content of offArray must be:
There are two additional tables to store result of IANA port admin state change operation.
This release corrects the following anomalies.
Improved Product Resiliency for VxWorks Vulnerabilities 1756 ControlLogix EtherNet/IP Communication Modules
Corrected Anomaly in firmware revisions 3.002 for these catalog numbers:
Known Anomaly First Identified in firmware revision 3.001 for these catalog numbers:
Product improvements have been made to increase resiliency. See Product Security Vulnerabilities for more information.
For a full list of the potentially affected Rockwell Automation products and a description of the vulnerabilities, see Rockwell Automation Knowledgebase article VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block.
This release has the following known anomalies.
Double Cable Break on Secondary Adapter Can Lead to Longer Qualification Times
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
3.001
|
—
|
When two 1756-EN4TR modules are used in remote chassis as a redundant adapter pair, and there are double-cable breaks on the secondary adapter, requalification can take a long time after the cables are reinserted.
Listen Only Disruptions when in Redundant Adapter Mode (Lgx00232454, Lgx00232604, Lgx00232589)
Known Anomaly First Identified as of Firmware Revision 3.001
Catalog Numbers: 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT
In a bridged multicast connection (not rack-optimized) "Listen-only" (one PLC with a normal connection, and a second with "listen only"):
In rack-optimized connections where a "listen-only" connection is used (one PLC with normal connection, and a second with "listen only"):
CIP Security Configuration Not Retained on Power Cycle with SD Card Slot Reconfigured (Lgx00232273)
Known Anomaly First Identified as of Firmware Revision 3.001
Catalog Numbers: 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT
If the SD Card slot was configured to be disabled, and then configured again to enabled state, the CIP Security configuration is lost after power-cycling the chassis. If the SD Card slot was configured only once to be disabled, and no further re-configurations were made, then CIP Security configuration is still applied.
Workarounds:
Removing Security Policy Can Result in Lost Access to the EtherNet/IP Communication Module (00233815)
Known Anomaly First Identified as of Firmware Revision 3.001
Catalog Numbers: 1756-EN4TR
This release has the following known anomalies.
Safeboot in 1756-EN4TR Always Boots in a DLR Configuration Regardless of the Mode Rotary Switch Position (3333484)
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
4.001
|
—
|
When the 1756-EN4TR enters Safeboot during a reset to factory default settings, the module boots up in a DLR configuration regardless of the Mode Rotary Switch position. In PRP mode, this can cause heavy traffic and bridging LAN A and LAN B networks until the module is updated with standard firmware. This can happen if the update process fails during a firmware update on the module.
1756-EN4TR Can Provide Incorrect PRP Network Health Status (1517443)
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
4.001
|
5.001
|
When a packet is received only on one PRP LAN (either LAN A or LAN B), then the PRP Warning flag is not set and the counter for missing packets is not incremented. This results the 1756-EN4TR module providing the incorrect PRP network health status.
After A Power Cycle, Connection Can Take Time to Establish
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
4.001
|
—
|
After a power cycle, establishing an Ethernet connection between two 1756-EN4TRs can take longer than 50 seconds. To work around this issue, you can power cycle the 1756-EN4TR module, or remove and replace the Ethernet cable.
1756-EN4TR Becomes Unresponsive in PRP Configuration Mode
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
4.001
|
—
|
After a power cycle, a 1756-EN4TR module that is configured for PRP can become unresponsive. If this occurs, power cycle the 1756-EN4TR module again.
1756-EN4TR Can Provide Incorrect PRP LAN Status (1516251)
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
4.001
|
5.001
|
When there are cable breaks on both PRP LAN networks (LAN A and LAN B), it can take up to 13 seconds for the PRP Fault flags to update properly after one LAN is reconnected. This results in 13 seconds of incorrect PRP LAN status provided by the 1756-EN4TR module.
This release has the following known anomalies.
Open Socket Functionality Not Behaving as Expected (1957130, 1957175)
Controllers and Communication Modules
|
First Known in Firmware Revision
|
Corrected in Firmware Revision
|
CompactLogix™ 5380
|
35.011
|
35.013, 36.011 and later
|
Compact GuardLogix® 5380 SIL 2
|
35.011
|
35.013, 36.011 and later
|
Compact GuardLogix 5380 SIL 3
|
35.011
|
35.013, 36.011 and later
|
CompactLogix 5380 Process
|
35.011
|
35.013, 36.011 and later
|
CompactLogix 5480
|
35.011
|
35.013, 36.011 and later
|
ControlLogix® 5580
|
35.011
|
35.013, 36.011 and later
|
GuardLogix 5580
|
35.011
|
35.013, 36.011 and later
|
ControlLogix 5580 Process
|
35.011
|
35.013, 36.011 and later
|
1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT
|
5.001
|
—
|
In a Socket Read Message, when reading an empty TCP Ethernet Buffer (buffer length of 0), the expectation is that a 12 byte header will be returned for the Socket Read Message’s .DN_LEN ([MessageTag].DN_LEN=12).
Instead, 0 bytes are returned by the message ([MessageTag].DN_LEN=0).
This anomaly affects the Rockwell Automation® Sample Code Add-On Instructions and Applications. For more information and a workaround for this anomaly, see the Knowledgebase Technote Socket functionality may not behave as expected in specific Logix controllers at version 35.011 and 1756-EN4TR version 5.001.
Disqualification of Redundant Chassis Pair Due to Concurrent Connection Timeout (1895856)
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
5.001
|
5.003
|
These anomalies are from previous releases but are still known in this release.
Sent Bytes Per Second Displays a Larger Incorrect Value (1548181)
Controllers and Communication Modules
|
First Known in
Firmware Revision
|
Corrected in Firmware
Revision
|
CompactLogix™ 5380
|
28.011
|
35.011 and later
|
Compact GuardLogix® 5380 SIL 2
|
31.011
|
35.011 and later
|
Compact GuardLogix 5380 SIL 3
|
32.013
|
35.011 and later
|
CompactLogix 5380 Process
|
33.011
|
35.011 and later
|
CompactLogix 5480
|
32.011
|
35.011 and later
|
ControlLogix® 5580
|
28.011
|
35.011 and later
|
GuardLogix 5580
|
31.011
|
35.011 and later
|
ControlLogix 5580 Process
|
33.011
|
35.011 and later
|
1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT
|
2.01
|
5.001 and later
|
Under HMI/MSG Connected (EtherNet/IP Port) on the device Diagnostic webpages, Sent Bytes Per Second displays a much larger incorrect value, not the actual sent bytes per second.
Cannot Disable the Socket Object on 1756-EN4TR With a MSG Instruction (1804575)
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
2.001
|
5.001
|
When using a MSG instruction to disable the socket object on a 1756-EN4TR module, setting Attribute 9 to a source element value of 0 does not disable the socket object.
Rack-optimized Connections Can Cause an Ethernet Module to Assert (1186272, 1186282, 942336)
Communication Modules
|
First Known in Firmware Revision
|
Corrected in Firmware Revision
|
1756-EN2T, 1756-EN2TR
|
10.007
|
12.001 and later
|
1756-EN3TR
|
10.007
|
12.001 and later
|
1756-EN4TR,
1756-EN4TRK,
1756-EN4TRXT |
2.001
|
4.001
|
Five or more rack-optimized connections that are targeted to an Ethernet module cause the module to assert immediately. The module status display shows ‘RackInput.cpp LineXXX’ information in the assert message.
1756-EN4TR May Not Switchover After Reconnection
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
2.001
|
—
|
After both primary and secondary 1756-EN4TR modules are disconnected from the network, the redundant chassis pair may not switchover after the previously secondary module is reconnected to the network.
If this issue occurs, then manually reset the primary chassis.
Simultaneous Listen-Only and Rack-optimized Connections to the Same Module Can Lead To I/O Fault
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
2.001
|
—
|
If two controllers connect to the same I/O module through a 1756-EN4TR module, an I/O fault can occur if one controller uses listen-only connections and the other controller uses rack-optimized connections.
The controller that uses listen-only connections displays a Module Fault: (Code 0x0203) Connection Timed Out.
Cannot Update 1756-EN4TR Using Firmware Supervisor
Communication Modules
|
First Known in Firmware
Revision
|
Corrected in Firmware
Revision
|
1756-EN4TR, 1756-EN4TRK,
1756-EN4TRXT |
2.001
|
—
|
If a Studio 5000 Logix Designer® application project with a ControlLogix® 5580 controller and a 1756-EN4TR module is saved to the SD card with the device firmware, then the ControlLogix 5580 controller cannot restore the firmware to the 1756-EN4TR module using Firmware Supervisor if the 1756-EN4TR module goes into safe boot.
While this occurs infrequently, if this happens, then use ControlFLASH™ or ControlFLASH Plus™ software to upgrade the 1756-EN4TR