ControlLogix Firmware Patches

Monday, January 14, 2013 @ 05:01 PM gHale


Rockwell Automation released firmware patches for the multiple vulnerabilities in its ControlLogix products, according to a report on ICS-CERT.

Last January independent researcher Rubén Santamarta of IOActive identified the vulnerabilities and released proof-of-concept (exploit) code at the Digital Bond S4 Conference. The vulnerabilities are exploitable by transmitting arbitrary commands from a control interface to the programmable logic controller (PLC) or network interface card (NIC). The information released without coordination with either the vendor or ICS-CERT.

RELATED STORIES
Advantech WebAccess Bug Reported
GE Updates HMI/SCADA Bug
Advantech Vulnerability Released
Control System Malware Alert

Rockwell Automation released firmware patches on July 18, 2012, that resolve the remotely exploitable vulnerabilities. There have been no updates from Rockwell since these patches released. Exploitation of these vulnerabilities could allow loss of confidentiality, integrity, and availability of the device.

Exploits that target these vulnerabilities are publicly available.

The following Rockwell products suffer from the vulnerabilities:
• All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications,
• 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules,
• CompactLogix L32E and L35E controllers,
• 1788-ENBT FLEXLogix adapter,
• 1794-AENTR FLEX I/O EtherNet/IP adapter,
• ControlLogix, CompactLogix, GuardLogix, and SoftLogix, Version 18 and prior,
• CompactLogix and SoftLogix controllers, Version 19 and prior,
• ControlLogix and GuardLogix controllers, Version 20 and prior,
• MicroLogix 1100, and
• MicroLogix 1400.

Successful exploitation of these vulnerabilities may result in a denial-of-service (DoS) condition, controller fault, or enable a Man-in-the-Middle (MitM) attack, or Replay attack.

The affected products are PLCs and communication modules. Rockwell Automation said these products deploy across several sectors including agriculture and food, water, chemical, manufacturing and others. These products see use in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that changes the product’s configuration and network parameters, a DoS condition can occur. This situation could cause loss of availability and a disruption of communication with other connected devices. CVE-2012-6439 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.

Rockwell Automation engineers found this vulnerability as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference last January.
CVE-2012-6442 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.

CVE-2012-6435 is the number assigned to this vulnerability, which has CVSS v2 base score of 7.8.

An information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality.

Rockwell Automation engineers discovered this vulnerability as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference last January.

CVE-2012-6441 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

There is an improper input validation with the NIC which does not properly validate the data sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.

CVE-2012-6438 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8

There is an improper input validation with the CPU, which does not properly validate the data sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices.
CVE-2012-6436 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information.

Rockwell Automation engineers found this vulnerability as they were investigating other vulnerabilities reported at the Digital Bond S4 2012 Conference last January.

CVE-2012-6440 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

There is an improper authentication with the firmware upload where the device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices.

CVE-2012-6437 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

Exploits that target these vulnerabilities are publicly available. An attacker with a low-medium skill would be able to exploit these vulnerabilities.

Rockwell said any of the products affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.

To mitigate the vulnerabilities, Rockwell developed and released security patches to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at:
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154
https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155
https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156

For more information on security with Rockwell Automation products, go to Rockwell’s Security Advisory Index.

Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.

To mitigate the vulnerabilities pertaining to receiving valid CIP packets:
1. Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM).
2. Employ a UTM appliance that specifically supports CIP message filtering.

To mitigate the vulnerability pertaining to the corrupted firmware update:
1. At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware.
2. Until Rockwell creates an update, the company said concerned customers should employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.

To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state:
1. Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.

To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state:
1. Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher.
2. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher.
3. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above.
4. Employ a UTM as directed above.

To mitigate the vulnerability with the Web server password authentication mechanism:
1. Upgrade the MicroLogix 1400 firmware to FRN 12 or higher.
2. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise.
3. Where possible, disable the Web server and change all default Administrator and Guest passwords.
4. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as:
a. When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes.
b. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout.
5. If the user needs Web server functionality, Rockwell recommends configuring user accounts to have READ only access to the product so an attacker cannot use those accounts to make configuration changes.



One Response to “ControlLogix Firmware Patches”


Leave a Reply

You must be logged in to post a comment.