Mitigation Strategy for Rockwell’s MicroLogix

Thursday, April 5, 2018 @ 04:04 PM gHale

Rockwell Automation has a mitigation strategy to handle an improper authentication vulnerabilities in its MicroLogix Controller, according to a report with ICS-CERT.

Successful exploitation of these vulnerabilities, discovered by Jared Rittle and Patrick DeSantis of Cisco, could cause denial of service, disclosure of sensitive information, communication loss, and modification of settings or ladder logic.

RELATED STORIES
Siemens Updates Building Technologies Fixes
Philips Remediates iSite, IntelliSpace Holes
WAGO Fixes 750 Series Issue
Siemens Updates TIM 1531 IRC Hole

The following versions of MicroLogix Controllers, a PLC (Programmable Logic Controller), suffer from the remotely exploitable vulnerability:
• MicroLogix 1400 Versions FRN 21.003 and prior
• MicroLogix 1100 Versions FRN 16.00 and prior

In one vulnerability, a remote, unauthenticated attacker could send a specially crafted packet to the Ethernet port of an affected controller, which puts the device in a fault state, and could result in the deletion of ladder logic.

CVE-2017-12088 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.

In addition, a remote, unauthenticated attacker could send a specially crafted packet that does not indicate the download is complete to the controller during the standard download process, causing the controller to freeze for one minute before entering a fault state.

CVE-2017-12089 is the case numbers assigned to this vulnerability, which has a CVSS v3 base score of 6.8.

Also, a specially crafted SNMP-set request, when sent without associated SNMP-set commands for firmware flashing, can cause the device to power cycle, resulting in downtime for the device.

CVE-2017-12090 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

Also, a remote, unauthenticated attacker could send a specially crafted packet to the affected device and utilize read or write operations. This could result in several potential impacts, ranging from disclosure of sensitive information, modification of settings, or ladder logic modification.

See the Rockwell customer notification for the table with specific CVEs. A CVSS v3 base score of 10.0 has been calculated.

In addition, a memory module, which is a backup, installed in a MicroLogix controller allows a user to instruct the controller to write to its program to the module without authentication.

CVE-2017-12092 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.7.

Also, the MicroLogix 1400 controller supports 10 active sessions at a time. An attacker could send their own registered session packets; and once the 11th packet is sent, the first packet will be dropped and the user session will be lost.

CVE-2017-12093 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees use in the critical manufacturing, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Rockwell Automation has recommended users employ the following mitigation strategies where applicable:
• Users using affected versions of MicroLogix 1100 and MicroLogix 1400 Series A are urged to contact their local distributor or Sales Office in order to upgrade their devices to a newer product line
• Set keyswitch to Hard Run to block any unauthorized changes
• For MicroLogix 1400 Series only, apply FRN 21.002 or later

Rockwell Automation has provided more specific mitigations that can be found in their customer notification KB1072942. (login required)



Leave a Reply

You must be logged in to post a comment.