PN949 | MicroLogix Controller Vulnerabilities

Introduction

Description

Version 1.0 - December 1, 2016

Rockwell Automation® was notified of several vulnerabilities discovered in the MicroLogix™ 1100 and MicroLogix 1400 versions of the product family. MicroLogix is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector had the potential to affect other Rockwell Automation product platforms.

Details relating to these vulnerabilities, the known affected platforms, and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

• 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.004 and earlier.
• 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Hardcoded Usernames

Hardcoded username credentials on the MicroLogix 1100 and MicroLogix 1400 PLCs can reduce the effort required to obtain the full set of user credentials, which could allow unauthorized administrative access to device configuration options available through the web interface.

A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability #2: Information Disclosure

Ilya Karpov reported to Rockwell Automation that user credentials, along with other information exchanged between browser and webserver are sent in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server.

CVE-2016-9334 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability #3: Incorrect Permission Assignment for Critical Resource

Ilya Karpov reported to Rockwell Automation that a vulnerability exists in those instances where a user with administrator privileges goes to a specific link and remove all administrative users from the functional web service. A factory reset is required to remove the improper changes and restore the web service to this product.

CVE-2016-9338 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

RISK MITIGATIONS

Customers using affected versions of the MicroLogix 1400 and MicroLogix 1100 PLCs are encouraged to update to the newest available software versions that address associated risks and include added improvements to further help harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. Employ multiple strategies when possible.

1. Update supported products based on this table:

   Product Family	Catalog Numbers	Hardware Series	Vulnerabilities Remediated	Suggested Actions
   MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series B	Vulnerability #3: Permanent DoS	- Apply FRN 15.000 or higher (Downloads) - Disable the web server. See Item #2 below for details. - Apply the additional mitigations described below.
   	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series A	None	- Disable the web server. See Item #2 below for details. - Apply the additional mitigations described below.
   MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series B	All Vulnerabilities	- Apply FRN 16.000 (Downloads) - Disable the web server. See Item #2 below for details. - Apply the additional mitigations below.
   	1766-L32AWA 1766-L32AWAA 1766-LK32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series A	None	- Disable the web server. See Item #2 below for details. - Apply the additional mitigations belowmitigations below.

2. Disable the webserver on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
3. Set the keyswitch to RUN to prohibit any re-enabling of the web server while the keyswitch is in this mode.
4. Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
9. We also recommend concerned customers continue to monitor this advisory, 54102 - Industrial Security Advisory Index and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation’s network and security services to enable assessment, design, implementation and management of validated, secure network architectures. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Product Security Vulnerability FAQ

KCS Status