Loading

PN1015 | MicroLogix Controller Vulnerabilities

Severity:
Low,
High,
Medium
Advisory ID:
PN1015
Published Date:
March 28, 2018
Last Updated:
March 28, 2018
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2017-12093,
CVE-2017-14471,
CVE-2017-14467,
CVE-2017-14472,
CVE-2017-14473,
CVE-2017-14462,
CVE-2017-14468,
CVE-2017-14463,
CVE-2017-14466,
CVE-2017-12092,
CVE-2017-12090,
CVE-2017-14465,
CVE-2017-14470,
CVE-2017-12089,
CVE-2017-14469,
CVE-2017-12088,
CVE-2017-14464
Summary
MicroLogix Controller Vulnerabilities

Introduction

MicroLogix Controller Vulnerabilities

Description

Version 1.0 - March 28, 2018

Jared Rittle and Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group contacted Rockwell Automation with a report detailing several vulnerabilities in the MicroLogix 1400™ controller family that, if successfully exploited, can have impacts ranging from Denial of Service to potential information disclosure.

Rockwell Automation has evaluated the contents of the researcher’s report and produced this disclosure, which provides details relating to these vulnerabilities and recommended countermeasures.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Product Catalog Numbers Affected Versions
MicroLogix 1400 1766-Lxxx FRN 21.003 and earlier
MicroLogix 1100 1763-Lxxx FRN 16.00 and earlier


VULNERABILITY DETAILS

The report from Cisco Talos contained six potential vulnerabilities. Rockwell Automation evaluated all six reported issues and provided fixes and/or mitigations after confirming the first five vulnerabilities. The sixth reported issue is listed below, however, Rockwell Automation has determined that this feature works as intended. Additional details are provided below.

Vulnerability #1: Denial of Service via Ethernet Functionality
A remote, unauthenticated attacker could potentially send a specially crafted packet to the Ethernet port of an affected controller, which puts the device in a fault state, and potentially deleting ladder logic.

CVE-2017-12088 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Denial of Service via Download Functionality
A remote, unauthenticated attacker could send a specially crafted packet to the controller during the standard download process. Without the proper packet to indicate download completion, the controller freezes in the download state for one minute before entering the fault state.

CVE-2017-12089 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: Denial of Service - SNMP-set request
A specially crafted SNMP-set request, when sent without associated SNMP-set commands for firmware flashing, can cause the device to power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.

CVE-2017-12090 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: Access Control Vulnerabilities
A remote, unauthenticated attacker could send a specially crafted packet to the affected device and utilize read or write operations that could result in several potential impacts, ranging from disclosure of sensitive information, modification of settings, or ladder logic modification.

Potential implications as a result of the vulnerability are listed below; each situation was reported to us by Cisco Talos and has been addressed by Rockwell Automation.

Item # Summary of Situation CVE-2017-XXXX
4a Modification of Communication Protocols and Network Configuration CVE-2017-14462
4b Overwriting the PLC Ladder Logic CVE-2017-14463
4c Memory Module mismatch Fault CVE-2017-14464
4d Forcing PLC I/O CVE-2017-14465
4e Writing and Clearing Master Password (See **) CVE-2017-14466
4f Perform online edits to ladder logic CVE-2017-14467
4g Trigger the PLC to load program from Electrically Erasable Programmable Read-Only Memory (EEPROM) CVE-2017-14468
4h Setting an invalid value for the user fault routine CVE-2017-14469
4i Setting float elements to invalid values CVE-2017-14470
4j Setting fault bits in specific function files to cause a Denial of Service CVE-2017-14471
4k Reading Master Password (See **) CVE-2017-14472
4l Reading Master Ladder Logic CVE-2017-14473

** Master Password not supported when using RSLogix 500 v11 and later with a MicroLogix 1400 controller flashed to FRN 21.002 or later.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned overall. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #5: File-Write vulnerability in Memory Module
A memory module installed in a MicroLogix controller that allows a user to instruct the controller to write its program to the module without authentication. The memory module is a back-up, but can also be used to load programs once an error occurs, and has the ability to load the program every time the device powers on.

CVE-2017-12092 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 3.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Reported Issue #6: Malicious Register Session Packets lead to Communication Loss
The MicroLogix 1400 controller supports ten active sessions at a time. The issue describes a scenario where a malicious user sends their own Register Session packets in order create their own connection to the controller, preventing valid users from accessing the PLC. However, when there are ten existing connections to the controller and another Register Session packet is sent, the oldest connection will be disconnected. The user whose online session has been disconnected receives the normal communication loss alert, upon which they can choose to reconnect.

CVE-2017-12093 has been assigned to this vulnerability by Cisco Talos. While evaluating this issue as a potential vulnerability, Cisco Talos assigned a CVSS v3.0 score of 5.3/10. For details, please follow the link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATION and RECOMMENDED USER ACTIONS

Customers using the affected controllers are strongly encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

  1. Update the affected products per the table below:
Vulnerability Product Family Catalog Number Hardware Series Suggested Actions
#1: DoS via Ethernet Functionality MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#2: DoS via Download Functionality MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#3: DoS via SNMP-set request MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Vulnerability Not Applicable: MicroLogix 1100 does not support SNMP
#4a: Modification of Communication Protocol / Network Configuration MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4b: Overwriting Large Ladder Logic MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4c: Memory Module Mismatch MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4d: Forcing PLC I/O MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4e: Writing and Clearing Master Password MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.002 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4f: Perform online edits to ladder logic MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4g: Tigger PLC program load from EEPROM MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4h: Setting an invalid value to fault routine MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1400 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4i: Setting float elements to invalid values MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4j: Setting fault bits in function file causes DoS MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4k: Reading Master Password MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.002 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4l: Reading Master Ladder Logic MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#5: File-Write in Memory Module MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#6: Communications Loss MicroLogix 1400 1766-Lxxx Series B or C
  • Functions as intended
MicroLogix 1400 1766-Lxxx Series A
  • Functions as intended
MicroLogix 1100 1763-Lxxx All Series
  • Functions as intended


Note
: In addition, customers using affected versions of MicroLogix 1100 or MicroLogix 1400 Series A are urged to contact their local distributor or Sales Office in order to upgrade their devices to a newer product line.

  1. Cisco Talos has created the following Snort rules (SIDs): 44424, 44425, 44426, 44427, 44428, and 44429 to detect exploits utilizing these vulnerabilities, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are not in the standard curated rule sets and must be enabled manually.
  2. If not using external communications, block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
  3. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.

GENERAL SECURITY GUIDELINES

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

  • 54102 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

Date Version Details
28-Mar-2018 1.0 Initial Release

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose