Loading

PN1411 | MicroLogix Controllers, RSLogix 500 Software Contains Multiple Vulnerabilities Affecting Confidentiality

Severity:
Critical,
Medium
Advisory ID:
PN1411
公開日:
March 05, 2020
最終更新日:
March 05, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
いいえ
Workaround:
いいえ
CVE IDs
CVE-2020-6980,
CVE-2020-6990,
CVE-2020-6988,
CVE-2020-6984
概要
MicroLogix Controllers, RSLogix 500 Software Contains Multiple Vulnerabilities Affecting Confidentiality

Revision History
Revision Number
Version 1.0
Revision History
March 05, 2020 - Intitial release.

Executive Summary

A subset of MicroLogix™ controllers and RSLogix 500® software contain multiple vulnerabilities that could allow an attacker to gain access to sensitive project file information including passwords. Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies submitted reports to Rockwell Automation regarding several vulnerabilities found in the Allen-Bradley® MicroLogix controllers and RSLogix 500 software. A subset of these vulnerabilities was also independently co-discovered and reported by Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab.

Customers using affected versions of these products are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400 Controllers
Series B, v21.001 and earlier
Series A, all versions

MicroLogix 1100 Controllers
All versions

RSLogix 500® Software
V12.001 and earlier

Vulnerability Details

CVE-2020-6990: Use of Hard-Coded Cryptographic Key
The cryptographic key utilized to help protect the account password is hard-coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-6984: Use of a Broken or Risky Algorithm for Password Protection
The cryptographic function utilized to protect the password in MicroLogix is discoverable. This password protects access to the device. If successfully exploited a remote attacker could gain unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-6988: Use of Client-Side Authentication
A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller, and the controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.

CVSS v3.1 Base Score: 5.9/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

CVE-2020-6980: Unsecured SMTP Data Storage
If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project file or the controller, may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

CVSS v3.1 Base Score: 4.0/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Acknowledgements:

CVE# Discovery Attribution
CVE-2020-6990 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.
CVE-2020-6984 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.  Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6988 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.  Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6980 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.

Risk Mitigation & User Action

Customers are encouraged to assess their level of risk regarding their specific applications and update to the latest available firmware or software version that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.

Note: Customers using affected versions of MicroLogix 1400 or MicroLogix 1100 are urged to contact their local distributor or sales office to upgrade their devices to MicroLogix 1400 Series B or a newer product line.

Product Catalog Numbers Suggested actions for CVE-2020-6990, CVE-2020-6984, and CVE-2020-6988 Suggested actions for CVE-2020-6980
MicroLogix 1400 controllers, Series B 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA
Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download).  Use the Enhanced Password Security feature. Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download).  Use the Enhanced Password Security feature.
MicroLogix 1400 controllers, Series A 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA
No direct mitigation. No direct mitigagion.
MicroLogix 1100 controllers. 1763-L16BWA
1763-L16AWA
1763-L16BBB
1763-L16DWD
No direct mitigation. No direct mitigation.
RSLogix 500® software R324-RL0x Apply version V11 or later (Download), used in conjunction with applied FRN 21.002 or later for MicroLogix 1400 Series B devices.  Use the Enhanced Password Security feature.

Other configurations, no direct mitigation.
No direct mitigation.

General Security Guidelines

  1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  2. Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
  3. Locate control system networks and devices behind firewalls and isolate them from the business network.
  4. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  7. Use of the Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  8. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links:

  • 54102 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム
  2. Chevron LeftChevron Left Trust & Security
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose