Rockwell Fixes MicroLogix, ControlLogix Modules

Thursday, December 6, 2018 @ 05:12 PM gHale

Rockwell Automation has revised firmware to handle a missing authentication for critical function vulnerability in its MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by David Noren, could allow an unauthenticated attacker to modify system settings and cause a loss of communication between the device and the system.

RELATED STORIES
GE Proficy GDS Mitigates Vulnerability
Philips’ HealthSuite App Fix in Q1
Multiple Holes in Digital Oscilloscope
SpiderControl SCADA WebServer Hole Fixed
Update Fixes Omron CX-One Holes

Rockwell reports the vulnerability affects the following PLC products:
• MicroLogix 1400 Controllers
Series A, all versions
Series B, v21.003 and earlier
Series C, v21.003 and earlier
• 1756 ControlLogix EtherNet/IP Communications Modules
• 1756-ENBT, all versions
• 1756-EWEB
Series A, all versions
Series B, all versions
• 1756-EN2F
Series A, all versions
Series B, all versions
Series C, v10.10 and earlier
• 1756-EN2T
Series A, all versions
Series B, all versions
Series C, all versions
Series D, v10.10 and earlier
• 1756-EN2TR
Series A, all versions
Series B, all versions
Series C, v10.10 and earlier
• 1756-EN3TR
Series A, all versions
Series B, v10.10 and earlier

An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.

CVE-2018-17924 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.

The product sees use in the critical manufacturing, food and agriculture, transportation systems, and water and wastewater systems sectors. The products also see action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Rockwell Automation recommends users of affected products update to an available firmware revision that addresses the associated risk. Users who are unable to update their firmware are directed toward additional risk mitigation strategies provided herein and should combine these with the general security guidelines to employ multiple strategies simultaneously, when possible.

Rockwell Automation suggests the following actions for affected versions:

• MicroLogix 1400 Controllers 1766-Lxxx, Series A, no direct mitigation provided. See additional mitigating recommendations below for suggested actions.
• For MicroLogix 1400 Controllers 1766-Lxxx, Series B or C, apply FRN 21.004 and later. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes. See p. 115 of the MicroLogix 1400 Programmable Controllers User Manual (1766-UM001M-EN-P) for details.
Click here to download FRN 21.004.
• 1756 EtherNet/IP Web Server Module, 1756-EWEB, all series, no direct mitigation provided. See additional mitigating recommendations below for suggested actions.
• 1756 ControlLogix EtherNet/IP Communications Modules, 1756-ENBT, all versions, 1756-EN2F Series A, all versions, Series B, all versions. 1756-EN2T, Series A, all versions, Series B, all versions, Series C, all versions. 1756-EN2TR Series A, all versions, Series B, all versions. 1756-EN3TR Series A. No direct mitigation provided. See additional mitigating recommendations below for suggested actions.
• 1756 ControlLogix EtherNet/IP Communications Modules, 1756-EN2F, Series C, 1756-EN2T, Series D, 1756-EN2TR, Series C, 1756-EN3TR, Series B. The recommendations are to apply FRN 11.001 and later. Once the new FRN is applied, enable Explicit Protected Mode. See p. 32 of the EtherNet/IP Network Click on the Configuration User Manual (ENET-UM001-EN-P) for details.
Click here for the download for FRN 11.001.

Rockwell Automation suggests the following additional mitigating recommendations for affected versions:
• Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
• Consult the product documentation for specific features, such as a hardware key switch setting, which may be used to block unauthorized changes, etc.
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP Ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.

For additional information, Rockwell Automation recommends users continue to monitor their advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 – Industrial Security Advisory Index (login required).



Leave a Reply

You must be logged in to post a comment.