Rockwell Repairs DNP3 DoS Vulnerability

Friday, October 3, 2014 @ 02:10 PM gHale

Rockwell Automation created a firmware revision that mitigates a denial-of-service (DoS) vulnerability to the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform, according to a report on ICS-CERT.

Independent researcher Matthew Luallen of CYBATI discovered the remotely exploitable vulnerability.

SchneiderWEB Server Directory Traversal Fixed
Patches Ready for Bash Hole
Advantech Fixes Overflow Holes
Yokogawa CENTUM, Exaopc Vulnerability

The following Allen-Bradley MicroLogix 1400 controller platforms suffer from the issue:
• 1766-Lxxxxx Series A FRN 7 and earlier
• 1766-Lxxxxx Series B FRN 15.000 and earlier

Successful exploitation of this vulnerability results in a disruption of the DNP3 application layer process and a loss of product communication and availability on the network, thereby resulting in a DoS condition. Product recovery from the DoS condition requires a power cycle.

Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.

The affected products, MicroLogix, are programmable logic controllers (PLCs). According to Rockwell Automation, these products work across several sectors, including chemical, critical manufacturing, food and agriculture, and water and wastewater systems Rockwell Automation estimates these products see use in Germany, Czech Republic, France, Poland, Denmark, Hungary, Italy, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

DNP3 communication is disabled by default in the MicroLogix 1400 product. However, if DNP3 capability ends up enabled, specific versions of the product become susceptible to a DoS attack. The DoS attack can trigger when the product receives a particular series of malformed packets over its Ethernet or local serial ports that end up directed at the link layer DNP3 header.

CVE-2014-5410 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this hole, however, an attacker with a medium skill would be able to exploit this vulnerability.

Rockwell Automation released a new version of MicroLogix 1400 Series B firmware to address the vulnerability and reduce associated risk to successful exploitation. Subsequent versions of MicroLogix 1400 Series B firmware and newer will incorporate these same enhancements.

Rockwell Automation recommends the following immediate mitigation strategies: Upgrade all MicroLogix 1400 Series B controllers to Series B FRN 15.001 or higher. Click here to obtain current firmware for the MicroLogix 1400 Series B platform.

Users with Series A and Series B controllers should also apply the following risk mitigations:
• Do not enable DNP3 communication in the product unless required.
• Where appropriate, prohibit DNP3 communication that originates outside the perimeter of the Manufacturing Zone from entry into the Zone by blocking communication directed at Ethernet communication Port 20000/TCP and 20000/UDP using appropriate security technology (e.g., a firewall, UTM devices, or other security appliance)
• Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic ends up blocked.
• Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment.
• Employ layered security, defense-in-depth methods and network segregation and segmentation practices in system design to restrict and control access to individual products and control networks.

Click here for Rockwell Automation’s product disclosure (AID 620295) for more information.

Leave a Reply

You must be logged in to post a comment.