Rockwell Fixes PLC System Holes

Thursday, October 29, 2015 @ 10:10 AM gHale


Rockwell Automation created new firmware versions to mitigate the vulnerabilities in Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems, except for the buffer overflow vulnerability in the Allen-Bradley MicroLogix 1400, according to a report on ICS-CERT.

Rockwell Automation is working to release a new firmware version for the buffer overflow vulnerability in the Allen-Bradley MicroLogix 1400.

RELATED STORIES
Janitza Fixes Multiple Vulnerabilities
IniNet Fixes Cleartext Vulnerability
IniNet Solutions Fixes SCADA Holes
3S Fixes Null Pointer Exception

These vulnerabilities, discovered independently by Ilya Karpov of Positive Technologies, David Atch of CyberX, and independent researcher Aditya Sood, are remotely exploitable.

The following Allen-Bradley MicroLogix 1100 controller platforms suffer from the issues:
• 1763-L16AWA, Series B, Version 14.000 and prior versions,
• 1763-L16BBB, Series B, Version 14.000 and prior versions
• 1763-L16BWA, Series B, Version 14.000 and prior versions
• 1763-L16DWD, Series B, Version 14.000 and prior versions
• 1763-L16AWA, Series A, Version 14.000 and prior versions
• 1763-L16BBB, Series A, Version 14.000 and prior versions
• 1763-L16BWA, Series A, Version 14.000 and prior versions
• 1763-L16DWD, Series A, Version 14.000 and prior versions

The following Allen-Bradley MicroLogix 1400 controller platforms suffer from the issues:
• 1766-L32AWA, Series B, Version 15.002 and prior versions
• 1766-L32AWAA, Series B, Version 15.002 and prior versions
• 1766-L32BWA, Series B, Version 15.002 and prior versions
• 1766-L32BWAA, Series B, Version 15.002 and prior versions
• 1766-L32BXB, Series B, Version 15.002 and prior versions
• 1766-L32BXBA, Series B, Version 15.002 and prior versions
• 1766-L32AWA, Series A, Version 15.002 and prior versions
• 1766-L32AWAA, Series A, Version 15.002 and prior versions
• 1766-LK32BWA, Series A, Version 15.002 and prior versions
• 1766-L32BWAA, Series A, Version 15.002 and prior versions
• 1766-L32BXB, Series A, Version 15.002 and prior versions
• 1766-L32BXBA, Series A, Version 15.002 and prior versions

Successful exploitation of the vulnerabilities may allow a remote attacker to escalate privileges, execute arbitrary code, and cause a denial-of-service condition.

Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.

The affected products, Allen-Bradley MicroLogix 1100 and 1400, are PLCs. These products see action across several sectors, including chemical, critical manufacturing, food and agriculture, and water and wastewater systems. These products see use on a global basis.

A buffer overflow vulnerability exists in a vulnerable function that may crash the device or allow arbitrary code execution.

CVE-2015-6490 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, a specifically crafted web request may allow a remote attacker to crash the device, which would require the device to be power cycled to restore it to a working state.

CVE-2015-6492 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

Another vulnerability may allow a remote attacker to redirect external web content into the device’s web page frame, allowing remote file inclusion. This vulnerability ended up identified in ICS-ALERT-15-225-02A Rockwell Automation 1766-L32 Series Vulnerability, released on August 20.

CVE-2015-6491 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.6.

The cross-site scripting vulnerability may allow an attacker to inject and store Javascript in the device’s web server, which could end up executed on the user’s web browser when accessing the embedded web server function. The stored Javascript may be used to unknowingly execute web requests in the context of the user who is viewing the page. A factory reset would be mandatory to to remove the stored Javascript.

CVE-2015-6488 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.7.

In the SQL injection hole, user input does on end up sufficiently sanitized, which may allow an attacker to create new users, delete users, or escalate privileges by getting an administrator to execute a specially crafted link.

CVE-2015-6486 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.7.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Rockwell Automation fixed the vulnerabilities in the Allen-Bradley MicroLogix 1100 controller, hardware Series B, in firmware version, FRN 15.000. The identified vulnerabilities do not end up addressed in the Allen-Bradley MicroLogix 1100 controller, hardware Series A. Rockwell Automation recommends asset owners using Series A controllers should implement the appropriate mitigations.

Rockwell Automation has addressed all but one of the reported vulnerabilities in the Allen-Bradley MicroLogix 1400 controllers, hardware Series B, in firmware version, FRN 15.003. The buffer overflow vulnerability in the Allen-Bradley MicroLogix 1400 controller, hardware Series B, will end up addressed in a new firmware version, scheduled to release in November. The identified vulnerabilities do not end up addressed in the Allen-Bradley MicroLogix 1400 controller, hardware Series A. Rockwell Automation recommends asset owners using Series A controllers should implement the appropriate mitigations.

Click here for the firmware versions for the MicroLogix 1100 controller (hardware Series B), FRN 15.000, and the MicroLogix 1400 controller (hardware Series B), FRN 15.003.

Rockwell Automation’s security notification is available at this site, with a valid account:

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations, which are applicable.
• Update the supported products with the appropriate firmware update.
• Disable the web server on the MicroLogix 1100 and 1400, as it is enabled by default. See KB: 732398 for detailed instructions on disabling the web server for each controller platform. The Web Server Tech Note, KB: 732398 is available at the following URL, with a valid account.
• Set the keyswitch to Hard Run to prohibit re-enabling of the web server via RSLogix 500.
• Use trusted software, software patches, antivirus/anti-malware programs and interact only with trusted web sites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Rockwell recommends subscribing to the Security Advisory Index, which contains the Knowledgebase article KB: 54102 and provides the most up-to-date information about security matters that affect Rockwell Automation products. The Knowledgebase article is available at the following URL, with a valid account.