Rockwell Fixes PLC Buffer Overflow
Tuesday, January 26, 2016 @ 05:01 PM gHale
Rockwell Automation created firmware to mitigate a stack-based buffer overflow vulnerability in its Allen-Bradley MicroLogix 1100 programmable logic controller (PLC) systems, according to a report on ICS-CERT.
This vulnerability, discovered by David Atch of CyberX, is remotely exploitable.
The following Allen-Bradley MicroLogix 1100 controller platforms suffer from the issue:
• 1763-L16AWA, Series B, Version 15.000 and prior versions
• 1763-L16BBB, Series B, Version 15.000 and prior versions
• 1763-L16BWA, Series B, Version 15.000 and prior versions
• 1763-L16DWD, Series B, Version 15.000 and prior versions
• 1763-L16AWA, Series A, Version 15.000 and prior versions
• 1763-L16BBB, Series A, Version 15.000 and prior versions
• 1763-L16BWA, Series A, Version 15.000 and prior versions
• 1763-L16DWD, Series A, Version 15.000 and prior versions
Successful exploitation of the stack-based buffer overflow vulnerability may allow an attacker to remotely execute arbitrary code on the affected device.
Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.
The affected products, Allen-Bradley MicroLogix 1100, are PLCs. According to Rockwell Automation, these products see action across several sectors, including chemical, critical manufacturing, food and agriculture, and water and wastewater systems. Rockwell Automation estimates these products see use on a global basis.
A stack-based buffer overflow vulnerability exists in a vulnerable function that may allow remote code execution when the device receives a malicious web request.
CVE-2016-0868 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Rockwell Automation addressed the stack-based buffer overflow vulnerability in the Allen-Bradley MicroLogix 1100 controller, hardware Series B, in firmware Version 15.002.
The identified vulnerability did not end up addressed in the Allen-Bradley MicroLogix 1100 controller, hardware Series A. Rockwell Automation recommends asset owners using Series A controllers should implement the appropriate mitigations discussed below.
Click here for Rockwell Automation’s new firmware version for the MicroLogix 1100 controller, hardware Series B, firmware Version 15.002.
Click here for Rockwell Automation’s security notification.
Rockwell Automation recommends evaluating the impact of the identified vulnerability within the host environment, and applying the following suggested mitigations, which are applicable.
• Update supported products with appropriate firmware updates
• Disable the web server on the MicroLogix 1100, as it is enabled by default. See the knowledgebase article, KB: 732398, for detailed instructions on disabling the web server for each controller platform. Click here for the KB: 732398 instructions.
• Set the key switch to RUN to prohibit re-enabling of the web server via RSLogix 500
• Rockwell Automation recommends subscribing to the Security Advisory Index (KB54102), which provides the most up-to-date information about security matters that affect Rockwell Automation products. The Knowledgebase article is available here.