Rockwell Fixes CompactLogix Hole

Wednesday, March 2, 2016 @ 02:03 PM gHale

Rockwell Automation created firmware to mitigate a cross-site scripting vulnerability in its CompactLogix application, according to a report on ICS-CERT.

This vulnerability, discovered by independent researcher Aditya Sood, is remotely exploitable.

Building Operation App Hole Fixed
AMX Addressing Multiple Vulnerabilities
B+B SmartWorx Fixes Bypass Vulnerability
Siemens Fixes SIMATIC S7 Woes

Rockwell Automation said the vulnerability affects the following versions of the Allen‑Bradley CompactLogix controller platform:
• 1769-L16ER-BB1B, Version 27.011 and earlier
• 1769-L18ER-BB1B, Version 27.011 and earlier
• 1769-L18ERM-BB1B, Version 27.011 and earlier
• 1769-L24ER-QB1B, Version 27.011 and earlier
• 1769-L24ER-QBFC1B, Version 27.011 and earlier
• 1769-L27ERM-QBFC1B, Version 27.011 and earlier
• 1769-L30ER, Version 27.011 and earlier
• 1769-L30ERM, Version 27.011 and earlier
• 1769-L30ER-NSE, Version 27.011 and earlier
• 1769-L33ER, Version 27.011 and earlier
• 1769-L33ERM, Version 27.011 and earlier
• 1769-L36ERM, Version 27.011 and earlier
• 1769-L23E-QB1B, Version 20.018 and earlier (Will discontinue in June 2016)
• 1769-L23E-QBFC1B, Version 20.018 and earlier (Will discontinue in June 2016)

A successful exploit using this vulnerability could affect the availability of the target device.

Rockwell Automation is a Milwaukee, WI-based company that maintains offices around the world.

The affected products, CompactLogix, are web-based SCADA systems. These products see action across several sectors including chemical, critical manufacturing, food and agriculture, and water and wastewater systems. These products see use globally.

The vulnerability in the CompactLogix’s webserver allows an attacker to inject arbitrary JavaScript into an unsuspecting user’s web browser. The target of this type of attack is not the CompactLogix itself. Instead, the CompactLogix is a vehicle to deliver an attack to the web browser.

CVE-2016-2279 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

This vulnerability ended up publicly disclosed; it is unknown if there are public exploits that specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

Rockwell Automation recommends users of 1769-L23E-QB1B migrate to 1769-L24ER-BB1B and users of 1769-L23E-QBFC1B migrate to 1769-L24ER-QBFC1B.

For the other affected versions listed above, Rockwell Automation recommends users apply firmware Version 28.011+.

For more detailed information, click on Rockwell’s security notification (KB731098).

Rockwell Automation also recommends the following security practices:
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is a requirement, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should update to the most current version available. Also recognize that VPN is only as secure as the connected devices.