Loading

PN885 | CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Severity:
Medium
Advisory ID:
PN885
Published Date:
November 01, 2018
Last Updated:
November 01, 2018
Revision Number:
1.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2016-2279
Summary
CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Introduction

CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Description

Version 1.2 - November 1, 2018

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley® CompactLogix™ controller platform. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the CompactLogix™ platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

2016-03-01 UPDATE v1.1: Rockwell Automation has identified additional products containing this vulnerability, and these products are listed below. See the Risk Mitigations section below for information on available product firmware updates.

2018-11-01 UPDATE v1.2: Rockwell Automation received a report from an external researcher identifying additional product families that contain this vulnerability. These products are listed below. Please see the Risk Mitigations section for information on available firmware updates that address these vulnerabilities.

AFFECTED PRODUCTS/TECHNOLOGIES

2016-03-01 UPDATE: Additional Products:

  • 1769-L23E-QB1B, Version 20.018 and earlier (Will be discontinued in June 2016)
  • 1769-L23E-QBFC1B, Version 20.018 and earlier (Will be discontinued in June 2016)

2018-11-01 UPDATE: Additional Products:

  • 1756-EN2F
    • Series A, All Versions
    • Series B, All Versions
  • 1756-EN2T
    • Series A, All Versions
    • Series B, All Versions
    • Series C, All Versions
    • Series D, Version 10.007 and earlier
  • 1756-EN2TR
    • Series A, All Versions
    • Series B, All Versions
  • 1756-EN3TR
    • Series A, All Versions
  • 1769-L16ER-BB1B, Version 27.011 and earlier
  • 1769-L18ER-BB1B, Version 27.011 and earlier
  • 1769-L18ERM-BB1B, Version 27.011 and earlier
  • 1769-L24ER-QB1B, Version 27.011 and earlier
  • 1769-L24ER-QBFC1B, Version 27.011 and earlier
  • 1769-L27ERM-QBFC1B, Version 27.011 and earlier
  • 1769-L30ER, Version 27.011 and earlier
  • 1769-L30ERM, Version 27.011 and earlier
  • 1769-L30ER-NSE, Version 27.011 and earlier
  • 1769-L33ER, Version 27.011 and earlier
  • 1769-L33ERM, Version 27.011 and earlier
  • 1769-L36ERM, Version 27.011 and earlier

VULNERABILITY DETAILS

The vulnerability in the web application of the affected device allows an attacker to inject arbitrary JavaScript into an unsuspecting user’s web browser by a process known as Reflective Cross Site Scripting. The impact to the user’s automation system would be highly dependent on both the type of JavaScript exploit included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the Programmable Automation Controller or Communications module itself. Instead, they are vehicles to deliver an attack to the web browser.

A successful attack would not compromise the integrity of the device nor allow access to confidential information contained on it. On rare occasions, the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

CVE-2016-2279 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

RISK MITIGATIONS

  1. The following table summarizes available mitigations for each affected product:
    2018-11-01 UPDATE: Added 1756 ControlLogix Ethernet/IP Communications Modules
    Platform Catalog Number Recommendation
    1756 ControlLogix® EtherNet/IP Communications Modules 1756-ENBT, All Versions

    1756-EN2F
    Series A, All versions
    Series B, All versions

    1756-EN2T
    Series A, All Versions
    Series B, All Versions
    Series C, All Versions

    1756-EN2TR
    Series A, All Versions
    Series B, All Versions

    1756-EN3TR
    Series A
    No direct mitigation provided. See NOTE: below for recommended actions.
    1756 ControlLogix® EtherNet/IP Communications Modules 1756-EN2F, Series C
    1756-EN2T, Series D
    1756-EN2TR, Series C
    1756-EN3TR, Series B
    Apply FRN 10.010 or later (Download)
    Small Controllers:
    CompactLogix™ 5370 L1
    CompactLogix™ 5370 L2
    CompactLogix™ 5370 L3
    1769-L16XX
    1769-L18XX
    1769-L24XX
    1769-L27XX
    1769-L30XX
    1769-L33XX
    1769-L36XX
    1. Apply FRN 28.011 or later (Download)

    2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030
    CompactLogix™ Packaged Controllers 1769-L23E-QB1B
    1769-L23E-QBFC1B
    Discontinued as of June 2016

    1.1769-L23E-QB1B: Recommend Migration to 1769-L24ER-BB1B

    1769-L23E-QBFC1B: Recommend Migration to 1769-L24ER-QBFC1B

    2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030

    NOTE: Customers using previous series of the affected 1756 EtherNet/IP catalog numbers are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

  2. Do not click on or open URL links from untrusted sources.
  3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Interne.
  5. Locate control system networks and devices behind firewalls, and isolate them from the business network
  6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

  • 54102 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • ICSA-16-061-02 Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability

REVISION HISTORY

Date Version Details
03-SEP-2015 1.0 Initial Release
01-MAR-2016 1.1 Update: Additional Products
01-NOV-2018 1.2 Update: Additional Products and ISP Definition
Attachments
File
KB-731098_Update_v1.2.pdf

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose