CVE 2024-5659: Multicast Request Causes Major Nonrecoverable Fault on Select Controllers

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Security Advisory ControlLogix and GuardLogix Vulnerable to Multicast Request Causes major nonrecoverable fault on Select Controllers.

CVE-2024-3493: Logix Controllers and Communication Modules Vulnerable to MNRF Due to Invalid Header Value

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Security Advisory ControlLogix and GuardLogix Vulnerable to major nonrecoverable fault due to Invalid Header Value.

• Catalog Numbers: 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT

Catalog Numbers:

• 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT

1756-EN4TR cannot be configured to appear in SNMP scan (Lgx00229065)

Content of offArray must be:

There are two additional tables to store result of IANA port admin state change operation.

Improved Product Resiliency for VxWorks Vulnerabilities 1756 ControlLogix EtherNet/IP Communication Modules

Corrected Anomaly in firmware revisions 3.002 for these catalog numbers:

• 1756-EN4TR
• 1756-EN4TRK
• 1756-EN4TRXT

Known Anomaly First Identified in firmware revision 3.001 for these catalog numbers:

• 1756-EN4TR
• 1756-EN4TRK
• 1756-EN4TRXT

Product improvements have been made to increase resiliency. See Product Security Vulnerabilities for more information.

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerabilities, see Rockwell Automation Knowledgebase article VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block.

Double Cable Break on Secondary Adapter Can Lead to Longer Qualification Times

When two 1756-EN4TR modules are used in remote chassis as a redundant adapter pair, and there are double-cable breaks on the secondary adapter, requalification can take a long time after the cables are reinserted.

Listen Only Disruptions when in Redundant Adapter Mode (Lgx00232454, Lgx00232604, Lgx00232589)

Known Anomaly First Identified as of Firmware Revision 3.001

Catalog Numbers: 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT

In a bridged multicast connection (not rack-optimized) "Listen-only" (one PLC with a normal connection, and a second with "listen only"):

• after a switch-over, the entire multicast connection gets closed

In rack-optimized connections where a "listen-only" connection is used (one PLC with normal connection, and a second with "listen only"):

• in secondary, after cable break and reconnect secondary ASSERTS
• in secondary, after disqualification, secondary ASSERTS

CIP Security Configuration Not Retained on Power Cycle with SD Card Slot Reconfigured (Lgx00232273)

Known Anomaly First Identified as of Firmware Revision 3.001

Catalog Numbers: 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT

If the SD Card slot was configured to be disabled, and then configured again to enabled state, the CIP Security configuration is lost after power-cycling the chassis. If the SD Card slot was configured only once to be disabled, and no further re-configurations were made, then CIP Security configuration is still applied.

Workarounds:

• Leave the SD Card slot in the default state (enabled) and do not change it in Studio 5000.
• Configure the SD Card slot to be disabled in Studio 5000 and do not attempt to reconfigure it later.
• If the reconfiguration of the SD Card slot to the enabled state is needed, immediately insert or replace an empty SD Card before the power-cycle for the device do a full backup of the configuration files to the SD Card.

Removing Security Policy Can Result in Lost Access to the EtherNet/IP Communication Module (00233815)

Known Anomaly First Identified as of Firmware Revision 3.001

Catalog Numbers: 1756-EN4TR

1756-EN4TR Can Provide Incorrect PRP Network Health Status (1517443)

When a packet is received only on one PRP LAN (either LAN A or LAN B), then the PRP Warning flag is not set and the counter for missing packets is not incremented. This results the 1756-EN4TR module providing the incorrect PRP network health status.

After A Power Cycle, Connection Can Take Time to Establish

After a power cycle, establishing an Ethernet connection between two 1756-EN4TRs can take longer than 50 seconds. To work around this issue, you can power cycle the 1756-EN4TR module, or remove and replace the Ethernet cable.

1756-EN4TR Becomes Unresponsive in PRP Configuration Mode

After a power cycle, a 1756-EN4TR module that is configured for PRP can become unresponsive. If this occurs, power cycle the 1756-EN4TR module again.

1756-EN4TR Can Provide Incorrect PRP LAN Status (1516251)

When there are cable breaks on both PRP LAN networks (LAN A and LAN B), it can take up to 13 seconds for the PRP Fault flags to update properly after one LAN is reconnected. This results in 13 seconds of incorrect PRP LAN status provided by the 1756-EN4TR module.

Safeboot in 1756-EN4TR Always Boots in a DLR Configuration Regardless of the Mode Rotary Switch Position (3333484)

When the 1756-EN4TR enters Safeboot during a reset to factory default settings, the module boots up in a DLR configuration regardless of the Mode Rotary Switch position. In PRP mode, this can cause heavy traffic and bridging LAN A and LAN B networks until the module is updated with standard firmware. This can happen if the update process fails during a firmware update on the module.

Open Socket Functionality Not Behaving as Expected (1957130, 1957175)

In a Socket Read Message, when reading an empty TCP Ethernet Buffer (buffer length of 0), the expectation is that a 12 byte header will be returned for the Socket Read Message’s .DN_LEN ([MessageTag].DN_LEN=12).

Instead, 0 bytes are returned by the message ([MessageTag].DN_LEN=0).

This anomaly affects the Rockwell Automation® Sample Code Add-On Instructions and Applications. For more information and a workaround for this anomaly, see the Knowledgebase Technote Socket functionality may not behave as expected in specific Logix controllers at version 35.011 and 1756-EN4TR version 5.001.

Disqualification of Redundant Chassis Pair Due to Concurrent Connection Timeout (1895856)

Rack-optimized Connections Can Cause an Ethernet Module to Assert (1186272, 1186282, 942336)

Five or more rack-optimized connections that are targeted to an Ethernet module cause the module to assert immediately. The module status display shows ‘RackInput.cpp LineXXX’ information in the assert message.

1756-EN4TR May Not Switchover After Reconnection

After both primary and secondary 1756-EN4TR modules are disconnected from the network, the redundant chassis pair may not switchover after the previously secondary module is reconnected to the network.

If this issue occurs, then manually reset the primary chassis.

Simultaneous Listen-Only and Rack-optimized Connections to the Same Module Can Lead To I/O Fault

If two controllers connect to the same I/O module through a 1756-EN4TR module, an I/O fault can occur if one controller uses listen-only connections and the other controller uses rack-optimized connections.

The controller that uses listen-only connections displays a Module Fault: (Code 0x0203) Connection Timed Out.

Cannot Update 1756-EN4TR Using Firmware Supervisor

If a Studio 5000 Logix Designer® application project with a ControlLogix® 5580 controller and a 1756-EN4TR module is saved to the SD card with the device firmware, then the ControlLogix 5580 controller cannot restore the firmware to the 1756-EN4TR module using Firmware Supervisor if the 1756-EN4TR module goes into safe boot.

While this occurs infrequently, if this happens, then use ControlFLASH™ or ControlFLASH Plus™ software to upgrade the 1756-EN4TR

Sent Bytes Per Second Displays a Larger Incorrect Value (1548181)

Under HMI/MSG Connected (EtherNet/IP Port) on the device Diagnostic webpages, Sent Bytes Per Second displays a much larger incorrect value, not the actual sent bytes per second.

Cannot Disable the Socket Object on 1756-EN4TR With a MSG Instruction (1804575)

When using a MSG instruction to disable the socket object on a 1756-EN4TR module, setting Attribute 9 to a source element value of 0 does not disable the socket object.