Rockwell Mitigates Vulnerability

Monday, December 10, 2012 @ 02:12 PM gHale

Rockwell Automation released mitigation strategies for the fault generation vulnerability that can cause a denial of service (DoS) in the Allen-Bradley MicroLogix, SLC 500, and PLC-5 controller, according to a report on ICS-CERT.

Rockwell said the remotely exploitable vulnerabilities, found by independent researcher Matthew Luallen of CYBATI, affect the following versions:
• MicroLogix 1100 controller,
• MicroLogix 1200 controller,
• MicroLogix 1400 controller,
• MicroLogix 1500 controller,
• SLC 500 controller platform, and
• PLC-5 controller platform.

Wireless System Vulnerability
Photovoltaic System Holes Mitigated
ABB Patches Webserver Hole
Hole Exists; Wrong Vendor Selected

This vulnerability affects the availability of the device and connected devices.

A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to switch via direct physical interaction.

The affected products, MicroLogix, SLC500, and PLC5 are programmable logic controllers (PLC). According to Rockwell Automation, these products deploy across several sectors including agriculture and food, water, chemical, manufacturing and others. According to Rockwell’s Web site, these products see use in Germany, Czech Republic, France, Poland, Denmark, Hungary, Italy and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

When the user does not enable certain configuration parameters, the affected devices are susceptible to a remote attack. To exploit the vulnerability, the attacker sends specially crafted messages that change specific bits in status files. This creates a device fault, which in turn causes a DoS.

Attackers sending malicious packets to Port 2222 TCP/UDP and Port 44818 TCP/UDP will cause the device fault. An attack will be successful regardless of controller’s mode switch setting. Physical interaction is required to recover the device. CVE-2012-4690 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5

An attacker with a low skill would be able to exploit this vulnerability.

Rockwell Automation continues to assess the feasibility of enhancing security features of the MicroLogix platform to directly address or mitigate associated risk from this vulnerability. Due to technical limitations of the platform, the viability of altering the platform’s operation or adding specific product controls to mitigate risk remains in analysis.

Rockwell recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, users should employ multiple strategies simultaneously.
• If possible, change the controller’s settings to the non-vulnerable state
• SLC-500: Set the Status file to “Static”
• PLC-5: Enable the Passwords and Privileges feature
• Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to this Rockwell web site for comprehensive information about implementing validated architectures designed to deliver these measures.
• Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
• Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to both TCP and UDP Port# 2222 and Port 44818 using appropriate security technology (e.g., a firewall, UTM devices, or other security appliance).
• Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

Leave a Reply

You must be logged in to post a comment.