Severity:
High
Advisory ID:
PN1571
Published Date:
July 09, 2021
Last Updated:
July 09, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-33012
Summary
MicroLogix 1100 Persistent CPU Fault Vulnerability
Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 9, 2021. Initial Release
Executive Summary
Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- MicroLogix 1100, all versions.
Vulnerability Details
CVE-2021-33012: Persistent fault may lead to denial of service conditions.
A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.
Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
| Vulnerability | Suggested Actions |
| CVE-2021-33012 | Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller. |
A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.
Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICSA-21-189-01
Copyright ©2022 Rockwell Automation, Inc.