Rockwell Fixes Fault Generation Hole

Friday, April 11, 2014 @ 04:04 PM gHale

Rockwell Automation released new firmware for the MicroLogix product line that resolves a fault generation vulnerability that can cause a denial of service (DoS) in the Allen-Bradley MicroLogix, SLC 500, and PLC-5 controller

This remotely exploitable vulnerability first came to light in December 2012 from researcher Matthew Luallen of CYBATI.

The vulnerabilities affect the following versions of Allen Bradley devices:
• MicroLogix 1100 controller
• MicroLogix 1200 controller
• MicroLogix 1400 controller
• MicroLogix 1500 controller
• SLC 500 controller platform
• PLC-5 controller platform

This vulnerability affects the availability of the device and connected devices. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.

The affected products, MicroLogix, SLC500, and PLC5 are programmable logic controllers (PLC). According to Rockwell Automation, these products deploy across several sectors including agriculture and food, water, chemical, manufacturing and others. According to Rockwell’s web site, these products see use in Germany, Czech Republic, France, Poland, Denmark, Hungary, Italy and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

When a user does not enable certain configuration parameters, the affected devices are susceptible to a remote attack. To exploit the vulnerability, the attacker sends specially crafted messages that change specific bits in status files. This creates a device fault, which in turn causes a DoS.

Attackers sending malicious packets to Port 2222 TCP/UDP and Port 44818 TCP/UDP will cause the device fault. An attack will be successful regardless of controller’s mode switch setting. Physical interaction is required to recover the device.

CVE-2012-4690 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

On August 2, 2013, Rockwell Automation updated their product security advisory that addresses this topic. Click here for the product security advisory, entitled “511407 – MicroLogix, SLC 500 and PLC5 Controller Vulnerability.”

There are now firmware releases available for MicroLogix 1100 controller, MicroLogix 1200 controller, MicroLogix 1400 controller, and MicroLogix 1500 controller.

Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should end up employed simultaneously.
• If possible, change the controller’s settings to the nonvulnerable state:
• SLC-500: Set the Status file to “Static”
• PLC-5: Enable the Passwords and Privileges feature.
• Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Click here for comprehensive information about implementing validated architectures designed to deliver these measures.
• Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
• Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to both TCP and UDP Port# 2222 and Port 44818 using appropriate security technology (e.g., a firewall, UTM devices, or other security appliance).
• Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
• For more information about this vulnerability or other problems with a Rockwell device, contact the Rockwell Automation Support Center.

Leave a Reply

You must be logged in to post a comment.