CVE-2022-3752: Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Logix Controllers Vulnerable to Denial-of-Service Attack.

VxWorks vulnerabilities that affect Logix 5000™ controllers (00225602, 00225603, 00225605, 00225606, 00225607, 880628, 1000204)

CORRECTED Anomaly firmware revisions 28.015, 32.013, and 33.011 for these catalog numbers:

• Compact GuardLogix® 5370 Controllers

CORRECTED Anomaly in firmware revisions 32.013 and 33.011 for these catalog numbers:

• CompactLogix™ 5370 Controllers
• CompactLogix 5480 Controllers

CORRECTED Anomaly in Firmware Revision 31.013, 32.013, and 33.011 for these catalog numbers:

• GuardLogix 5580 Controllers
• Compact GuardLogix 5380 SIL 2 Controllers

CORRECTED Anomaly as of Firmware Revision 30.015, 31.013, 32.013, and 33.011 for these Catalog Numbers:

• ControlLogix® 5580 Controllers
• CompactLogix 5380 Controllers

Known Anomaly First Identified in firmware revision 20.011 for these catalog numbers:

• CompactLogix 5370 Controllers

Known Anomaly First Identified in firmware revision 28.011 for these catalog numbers:

• ControlLogix 5580 Controllers
• CompactLogix 5380 Controllers
• Compact GuardLogix 5370 Controllers

Known Anomaly First Identified in firmware revision 31.011 for these catalog numbers:

• GuardLogix 5580 Controllers
• Compact GuardLogix 5380 SIL2 Controllers

Known Anomaly First Identified in firmware revision 32.011 for these catalog numbers:

• CompactLogix 5480 Controllers

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerabilities, see Knowledgebase Technote VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP™ Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block.

Denial-of-Service Vulnerability That Affects Logix 5000™ Controllers (1042476,1042479)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerability, see Knowledgebase Product Notice Logix Controllers Vulnerable to Denial-of-Service Attack.

GoAhead Web Server Vulnerability – Logix 5000^® Controllers (1693483)

For a full list of the potentially affected Rockwell Automation products and a description of the vulnerabilities and additional mitigations, see Knowledgebase Product Notice, CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products.

Compatible Software for Controller Firmware Revision 32.011

System Requirements as of Revision 32.011

• GuardLogix® 5580 Controllers
• ControlLogix® 5580 Controllers
• CompactLogix™ 5480 Controllers (5069-L46ERMW only)
• CompactLogix 5380 Controllers
• Compact GuardLogix 5380 Controllers
• GuardLogix 5570 Controllers
• ControlLogix 5570 Controllers
• CompactLogix 5370 Controllers
• Compact GuardLogix 5370 Controllers

This table identifies the minimum software versions that are compatible with firmware revision 32.011.

• GuardLogix® 5580 Controllers
• ControlLogix® 5580 Controllers
• CompactLogix™ 5380 Controllers
• Compact GuardLogix 5380 Controllers

• Current 4-character display messages
• Controller status indicators state
• EtherNet/IP status indicators state
• Safety Signature, Safety Locked Status, Safety Status (for GuardLogix 5580 and Compact GuardLogix 5380 controllers)

• GuardLogix® 5580 Controllers
• ControlLogix® 5580 Controllers
• CompactLogix™ 5380 Controllers
• Compact GuardLogix 5380 Controllers

• GuardLogix® 5580 Controllers
• ControlLogix® 5580 Controllers
• CompactLogix™ 5380 Controllers
• Compact GuardLogix 5380 Controllers

Reduced Device Configuration Time

System Feature First Identified as of Firmware Revision 32.011

• GuardLogix® 5580 Controllers
• ControlLogix® 5580 Controllers
• CompactLogix™ 5480 Controllers
• CompactLogix 5380 Controllers
• Compact GuardLogix 5380 Controllers

Improvements have been made to reduce device configuration time. Long device configuration time can extend the time that is required for the controller to transition from program mode to run mode time. These improvements are especially helpful for large systems with many PowerFlex® drives (non-motion), and other devices with large configurations, such as E300™ Electronic Overload Relays, Dynamix™ 1444 Integrated Condition Monitoring devices, and third-party devices.   

These improvements can decrease the controller program to run mode transition times:

1. After a download.
2. After a power-up.

IP Route Table Web Page Shows the Mask in Reverse Order (00183121)

Corrected anomaly with Firmware Revision 31.011

Known Anomaly First Identified as of Firmware Revision 28.011

Catalog Numbers: CompactLogix™ 5380, ControlLogix® 5580

The IP Route Table diagnostic web page shows the mask in reverse order (0.255.255.255).

Multicast Connections with Network Disruptions Can Cause a Controller MNRF/Assert (00210612)

CORRECTED Anomaly with Firmware Revision 32.011

Known Anomaly First Identified in Firmware Revision 31.011 for:

• Compact GuardLogix® 5380 SIL 2 controllers
• GuardLogix 5580 controllers

Known Anomaly First Identified in Firmware Revision 28.011 for:

• CompactLogix™ 5380 controllers
• ControlLogix® 5580 controllers

A controller can experience a major nonrecoverable fault (MNRF/Assert) if a controller application has I/O devices configured to use multicast connections and network disruptions occur.

• GuardLogix® 5580 Controllers
• ControlLogix® 5580 Controllers
• CompactLogix™ 5380 Controllers
• Compact GuardLogix 5380 Controllers

Controller memory is not fully released when a large tag is deleted online (00159315)

Corrected Anomaly as of Firmware Revision 32.011 for these catalog numbers:

• ControlLogix® 5580 Controllers
• GuardLogix® 5580 Controllers
• CompactLogix™ 5380 Controllers
• Compact GuardLogix 5380 Controllers

Controller memory is not fully released when a large tag is deleted online.

CORRECTED Anomaly in firmware revisions 33.011 for these catalog numbers:

• CompactLogix™ 5380 controllers
• CompactLogix 5480 controllers
• Compact GuardLogix® 5380 SIL2 controllers
• Compact GuardLogix 5380 SIL3 controllers
• ControlLogix® 5580 controllers
• GuardLogix 5580 controllers

Known Anomaly First Identified in firmware revision 28.011 for these catalog numbers:

• CompactLogix 5380 controllers
• ControlLogix 5580 controllers

Known Anomaly First Identified in firmware revision 31.011 for these catalog numbers:

• Compact GuardLogix 5380 SIL2 controllers
• GuardLogix 5580 controllers

Known Anomaly First Identified in firmware revision 32.011 for these catalog numbers:

• CompactLogix 5480 controllers

Known Anomaly First Identified in firmware revision 32.013 for these catalog numbers:

• Compact GuardLogix 5380 SIL3 controllers

After a break in Ethernet communication to a controller, on re-connection the controller can experience hung messages from connected and unconnected cached and uncached messages.

If you transition from Run to Program mode, the controller can appear to stay in Run mode even though I/O outputs are off. The Run status indicator blinks green. To recover, power cycle the controller.

Known Anomaly First Identified in:

• ControlLogix® 5580 Controllers, Revision 32.011
• ControlLogix 5580 Process Controllers, Revision 33.011
• GuardLogix® 5580 Controllers, Revision 32.011
• CompactLogix™ 5380 Motion Controllers, Revision 32.011
• CompactLogix 5380 Process Controllers, Revision 33.011
• Compact GuardLogix 5380 SIL2 Controllers, Revision 32.011
• Compact GuardLogix 5380 SIL3 Controllers, Revision 32.013

Minor fluctuations of the system time offset both on the producer controller and consumer controller side can cause minor velocity spikes, typically less than 1 % on the consumed axes in the remote controller.

This behavior is aesthetic and does not impact functionality.

Download Can Fail (00160311, 00206743)

CORRECTED Anomaly in firmware revision 33.011 for these catalog numbers:

• CompactLogix™ 5380 controllers
• CompactLogix 5480 controllers
• Compact GuardLogix® 5380 SIL2 controllers
• Compact GuardLogix 5380 SIL3 controllers
• ControlLogix® 5580 controllers
• GuardLogix 5580 controllers

Known Anomaly First Identified in firmware revision 28.011 for these catalog numbers:

• ControlLogix 5580 controllers
• CompactLogix 5380 controllers

Known Anomaly First Identified in firmware revision 31.011 for these catalog numbers:

• GuardLogix 5580 controllers
• Compact GuardLogix 5380 SIL2 controllers

Known Anomaly First Identified in firmware revision 32.011 for these catalog numbers:

• CompactLogix 5480 controllers

Known Anomaly First Identified in firmware revision 32.013 for these catalog numbers:

• Compact GuardLogix 5380 SIL3 controllers

After a project has been downloaded to a V28-V32 Logix controller, a subsequent download will time out with Error 806-8004253535.

See Knowledgebase Article Communication Loss On Download in Studio 5000 V28-V32.

FactoryTalk Batch Server Does Not Re-Connect to The PhaseManager™ Phases on The Controller After a Download (1084737, 1087383, 1087379)

Downloading a large ACD file improperly places the phases in the controller into an unknown state instead of the expected Idle state. This occurs more often with larger projects but does not occur every time. To recover, cycle power on the controller or break the connection between FactoryTalk® Batch and the controller for a duration longer than the connection timeout.

Multiple PXRQ Instructions Sharing the Same Phase Instruction Backing Tag Can Result in A Controller MNRF/Assert (00225972)

CORRECTED Anomaly with Firmware Revision 33.011

Known Anomaly First Identified in Firmware Revision 32.013 for:

• Compact GuardLogix® 5380 SIL 3 controllers

Known Anomaly First Identified in Firmware Revision 32.011 for:

• CompactLogix™ 5380 controllers
• Compact GuardLogix 5380 SIL 2 controllers
• CompactLogix 5480 controllers
• ControlLogix® 5580 controllers
• GuardLogix 5580 controllers

If your application code contains multiple Equipment Phase External Request (PXRQ) instructions that share the Phase Instruction backing tag, and the PXRQs backing tag is accessed while the PC bit is set to 1, a controller major nonrecoverable fault (MNRF/Assert) can occur.

For proper application code examples, see Knowledgebase Technote Implementation of PXRQ instruction to download a batch ID into ControlLogix.

Task Switching of User Tasks When Executing Multiple RTOS Instructions Can Cause A MNRF/Assert (1105041)

If the application contains RTOS (Real to String) instructions in different user tasks and the following execution occurs:

• Task A is executing an RTOS.
• Task A is interrupted to execute Task B.
• Task B executes an RTOS.
• Task A completes the RTOS previously interrupted.

A major nonrecoverable fault (MNRF/Assert) can occur.

For information on how to work around this in user application code, see Knowledgebase Technote RTOS instruction execution causes controller to MNRF.

• GuardLogix® 5580 Controllers, Revision 31.011
• ControlLogix® 5580 Controllers, Revision 31.011
• ControlLogix 5580 Process Controllers, Revision 33.011
• CompactLogix™ 5380 Controllers, Revision 31.011
• CompactLogix 5380 Process Controllers, Revision 33.011
• Compact GuardLogix 5380 SIL 2 Controllers, Revision 31.011
• Compact GuardLogix 5380 SIL 3 Controllers, Revision 32.013
• CompactLogix 5480 Controllers, Revision 32.011

Connected Uncached Messages Fail (00173896)

• GuardLogix® 5580 Controllers, Revision 29.011
• ControlLogix® 5580 Controllers, Revision 28.011
• ControlLogix 5580 Process Controllers, Revision 33.011
• CompactLogix™ 5380 Controllers, Revision 28.011
• CompactLogix 5380 Process Controllers, Revision 33.011
• Compact GuardLogix 5380 SIL 2 Controllers, Revision 31.011
• Compact GuardLogix 5380 SIL 3 Controllers, Revision 32.013
• CompactLogix 5480 Controllers, Revision 32.011

Connected UnCached messages that are sent to the controller can fail. This anomaly typically occurs if the Connected UnCached messages are sent when the controller is handling many messages and has temporarily run out of buffer resources.

To work around the anomaly, try the following:

• Cache connections. As many as 256 connections are available.
• Use the message instructions in a periodic task instead of a continuous task.
• Do not trigger messages as quickly as possible.

MSF Instruction Clears the .DriveEnableStatus Bit after the .DN is Set (00175088)

Known Anomaly First Identified in:

• ControlLogix® 5580 Controllers, Revision 28.011
• ControlLogix 5580 Process Controllers, Revision 33.011
• GuardLogix® 5580 Controllers, Revision 29.011
• CompactLogix™ 5380 Motion Controllers, Revision 28.011
• CompactLogix 5380 Process Controllers, Revision 33.011
• Compact GuardLogix 5380 SIL2 Controllers, Revision 31.011
• Compact GuardLogix 5380 SIL3 Controllers, Revision 32.013
• CompactLogix 5480 Controllers, Revision 32.011

The Motion Servo Off (MSF) instruction can report a .DN (Done) status before the drive clears the .DriveEnableStatus bit.

Dual Feedback Position Error Jumps (00232347, 00232504)

When the following configuration or conditions are met:

• Dual feedback.
• Feedback 2 is a linear device.
• Linear load type. Direct coupled linear or linear actuator.

Anytime the axis moves past one meter, the position command jumps by 1000 or 39.37 depending on the configured motion units.

Value That Is Outside the Supported WallClockTime Range (00182341, 00182342, 00190288, Lgx00169520)

Corrected Anomaly in:

• ControlLogix® 5570, Firmware Revision 30.011 and 20.019
• GuardLogix® 5570, Firmware Revision 30.011
• CompactLogix™ 5370, Firmware Revision 30.011 and 20.019
• Compact GuardLogix 5370, Firmware Revision 30.011
• ControlLogix 5560, Firmware Revision 20.019

Known Anomaly First Identified in:

• ControlLogix® 5580, Firmware Revision 28.011
• ControlLogix 5580 Process, Firmware Revision 33.011
• GuardLogix® 5580, Firmware Revision 31.011

• CompactLogix™ 5380, Firmware Revision 28.011
• CompactLogix 5380 Process, Firmware Revision 33.011
• Compact GuardLogix 5380 SIL2, Firmware Revision 31.011
• Compact GuardLogix 5380 SIL3, Firmware Revision 32.013
• CompactLogix 5480, Firmware Revision 32.011

• ControlLogix 5570, Firmware Revision 19.011
• GuardLogix 5570, Firmware Revision 20.011

• CompactLogix 5370, Firmware Revision 20.011
• Compact GuardLogix 5370, Firmware Revision 28.011

• ControlLogix 5560, Firmware Revision 11.011

When reading or viewing the WCT (WallClockTime) of the controller, the year can show a value of 586XXX (where the XXX is any values). This means that the wallclock value is outside the valid range for EPoch time.

The range of the WCT has been tightened in the controller to 1/1/1970 00:00:00.000...12/31/2069 23:59:59.999. If the controller tries to handle a value outside the defined range, the controller does not apply the new value. It now logs a minor fault, Type 13 Code 21. The fault displays an unknown fault in the RSLogix 5000® software.

When the fault is logged, the WCT of the controller is set to 1/1/19XX 00:00:00.000, where XX is 81...86. The year corresponds to the Info[0] value for the minor fault.

1756-M02AS module has different restored position compared to ControlLogix 5570 controllers (00223534)

Corrected Anomaly with Firmware Revisions 32.013 and 33.011

Known Anomaly First Identified as of Firmware Revision 31.011

Catalog Numbers: ControlLogix^® 5580, GuardLogix^® 5580 controllers

With the ControlLogix 5570 controller, when you issue a Motion Axis Home (MAH) of zero to the actual position, then cycle power to the chassis, the ControlLogix 5570 controller restores a position of zero.

With the ControlLogix 5580 and GuardLogix 5580 controllers, when you issue a MAH of zero to the actual position, then cycle power to the chassis, the 5580 controller restored the position that existed prior to issuing the MAH to zero. 

The ControlLogix 5580 and GuardLogix 5580 controllers now restore a position of zero. See Rockwell Automation Knowledgebase Answer ID 1087381.

Socket Application Code Can Cause the Controller to MNRF (00227905, 00228810)

If your application code tries to access a socket that has already been deleted, the controller can experience a major nonrecoverable fault.

Editing of UDTs and AOIs Online Can Affect Online Behavior (00223654, 00230184, 880629, 1000207)

Workflows to potentially induce the anomaly

• Create a user-defined data type (UDT), then, after the creation, modify the definition.
• Take an existing UDT and modify it online.
• Create a new UDT online. Take an existing UDT and add the new UDT as a member of the existing UDT.
• Take an array of UDTs and change the array size.
• Take the above workflows and handle them through a partial import online (PIO).
• Delete UDTs online.

Effects on online behavior

• Controller experiences a major non-recoverable fault after a power cycle.
• Unable to upload the application into a new or existing ACD file.
• Unable to go online with an existing application file.
• After a controller power cycle, HMIs cannot reconnect to the controller and will require a download of the application.

• Studio 5000 Logix Designer® application shuts down due to an exception.

See Knowledgebase Technote Editing of UDTs and AOIs Online Can Affect Online Behavior for additional information.

MNRF/Assert Can Occur When Executing an MGSR and SSV Instruction Simultaneously with SERCOS or Analog Motion Modules (00228412)

CORRECTED Anomaly with Firmware Revision 33.011

Known Anomaly First Identified in Firmware Revision 31.011 for:

• ControlLogix® 5580 controllers
• GuardLogix® 5580 controllers

When executing a Motion Group Shutdown Reset (MGSR) instruction, while at the same time, a Set System Value (SSV) instruction is setting a value on a motion axis attribute, there is a potential for a major nonrecoverable fault (MNRF/Assert) to occur.

For more information, see Knowledgebase Technote Potential MNRF-5580 Controller using SSV and MGSR together (SERCOS/Analog Motion)

MAR and MAW Instructions Do Not Execute Properly After Controller Power Is Cycled (1120359, 1161982)

If a controller is powered down while a Motion Arm Registration (MAR) and/or a Motion Arm Watch (MAW) instruction is active, the state of the instruction will not be accurate on controller power up.

• A Motion Disarm Registration (MDR) is required to reset the MAR instruction.
• A Motion Disarm Watch (MDW) is required to reset to the MAW instruction.

For more information, see the Knowledgebase Technote MAR or MAW Instruction Not Executing Properly After a Power cycle.

Controller Input Data Associated with Remote 5069/5094 Standard Modules Can Be Inconsistent When Communication Errors Occur (1297430)

Remote 5069\5094 standard modules with unicast connection type can have inconsistent data when communication errors occur.

For more information, see Knowledgebase Technote Controller Input Data Associated with Remote 5069/5094 Standard Modules Can Be Inconsistent When Communication Errors Occur.

PCMD Returns Incorrect Error Code (1056295)

Equipment Phase Command (PCMD) returns the incorrect error code “0x6003, HIGH_PRIORITY_OWNED” when it should return “0x6004, NOT_ATTACHED”

Controller Can Assert During The I/O Module Configuration Process (1024030, 00219969)

Certain I/O modules send more configuration data than fits in a standard forward open (508 bytes) when the connection is being established.  Therefore, the configuration process can take longer to complete. Examples include E300™ Electronic Overload Relays, 1444 Dynamics, 1718 I/O, 1719 I/O, and many third-party I/O devices.

When the configuration data is being sent to the device, if you change the configuration through the Add-on Profile for the device and then apply the changes the controller can assert.

CIP™ Axis Velocity Loop Causes Controller To MNRF/Assert (1008498, 1006943)

Setting the Axis Direct Command Velocity Tag to “Not a Number” (NaN) causes the controller to experience a major nonrecoverable fault/assert.

Controller, Sercos, and Analog Servo Modules Can Stop Communicating or the Controller can MNRF/Assert (00229188)

In an application with multiple axes, if you power cycle all drives that are connected to a Sercos or analog servo motion module:

• the controller, Sercos module, or analog servo motion module can stop communicating, or
• the controller can experience a major nonrecoverable fault/assert.

This includes these modules:

• 1756-M02AE
• 1756-M02AS
• 1756-M03SE
• 1756-M08SE
• 1756-M08SEG

Misconfigured Produced/Consumed Tags Can Cause a Controller MNRF/Assert (00222833, 1594463)

Mismatch of safety, standard, produced, and consumed tags can cause a producing controller to experience a major nonrecoverable fault/assert.

For more information, see Knowledgebase Technote MNRF on a GuardLogix controller with Produce Consume Tags.

PortPhysicalAddressInfo GSV Does Not Populate After Controller Power Cycle (1451494, 1514584)

When a Get System Value (GSV) instruction configured for Class Name: TimeSynchronize and Attribute Name: PortPhysicalAddressInfo executes after a controller power cycle, the physical address (MAC ID) does not populate.

MCTPO Conflict Causes Incorrect Instruction Outputs (1806725)

When you use a Motion Calculate Transform Position with Orientation (MCTPO) instruction in multiple tasks simultaneously, the MCTPO reports an incorrect transform position.

To work around this anomaly, place a User Interrupt Disable (UID) instruction before each MCTPO instruction in each task, then place a User Interrupt Enable (UIE) instruction after each MCTPO operation in each task. If all the MCTPO instructions are used in only one task, no change needs to be made.

Controller Can MNRF When Executing CPS Instruction with Specific Data Types (1800992, 2129625, 2129629)

When executing a Synchronous Copy File (CPS) instruction with a motion diagnostics connection as the source or destination tag, the controller can experience a major nonrecoverable fault (MNRF).

To work around this anomaly, do not use motion diagnostics connections (such as AB:Motion_Diagnostics:S:1) as arguments to the CPS instruction. If a copy is still necessary, use a non-synchronous copy via the COP instruction.

Sent Bytes Per Second Displays a Larger Incorrect Value (1548181)

Under HMI/MSG Connected (EtherNet/IP Port) on the device Diagnostic webpages, Sent Bytes Per Second displays a much larger incorrect value, not the actual sent bytes per second.

Inverting Motion Polarity Does Not Invert the Value of Certain Signal Attributes (1329074, 1332544)

When the axis Motion Polarity bit is set to inverted, certain Signal attributes for a CIP™ axis will display a value opposite of the programmed direction of the axis.

The affected signal attributes are:

• #365 Fine Command Position

• #495 Torque Estimate

• #432 Position Reference

• #523 Motor Electrical Angle

• #565 Slip Compensation

• #600 Output Frequency

• #601 Output Current

• #602 Output Voltage

• #603 Output Power

• #1403 Velocity Feedback 1

• #1453 Velocity Feedback 2

For more information, see the Knowledgebase Technote Inverting Motion Polarity Does Not Invert the Value of Certain Signal Attributes.

Cannot Modify Armor PowerFlex Configuration While Online (1640552, 1644553, 00230101)

After you add an Armor™ PowerFlex® Drive to a Studio 5000 Logix Designer® project, you cannot modify the Drive configuration while online with a controller. The project can be unresponsive for up to 30 seconds and can cause the controller to experience an Assert/Major Nonrecoverable Fault.

Note: Armor PowerFlex Drives are currently supported in controller firmware revision 31.011 and later.