Update to 2-year-old CompactLogix Issue

Tuesday, October 30, 2018 @ 06:10 PM gHale

Rockwell Automation has an updated migration plan for a cross-site scripting vulnerability in its Allen-Bradley CompactLogix, according to a report with NCCIC. This update is a follow-up to the original advisory on March 1, 2016.

Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript into a user’s web browser. Aditya Sood and Venkatesh Sivakumar (@PranavVenkatS) discovered the vulnerability.

RELATED STORIES
Vecna Updates Fix for VGo Robot
PEPPERL+FUCHS Updates CT50-Ex
GEOVAP Fixes Reliance 4 SCADA/HMI
Advantech Clears WebAccess Hole

Public exploits are available. An attacker with low skill level could leverage the vulnerability.

Rockwell Automation reports the remotely exploitable vulnerability affects the following versions of the Allen Bradley CompactLogix controller platform:
• 1769-L16ER-BB1B, Version 27.011 and prior
• 1769-L18ER-BB1B, Version 27.011 and prior
• 1769-L18ERM-BB1B, Version 27.011 and prior
• 1769-L24ER-QB1B, Version 27.011 and prior
• 1769-L24ER-QBFC1B, Version 27.011 and prior
• 1769-L27ERM-QBFC1B, Version 27.011 and prior
• 1769-L30ER, Version 27.011 and prior
• 1769-L30ERM, Version 27.011 and prior
• 1769-L30ER-NSE, Version 27.011 and prior
• 1769-L33ER, Version 27.011 and prior
• 1769-L33ERM, Version 27.011 and prior
• 1769-L36ERM, Version 27.011 and prior
• 1769-L23E-QB1B, Version 20.018 and prior (discontinued as of June 2016)
• 1769-L23E-QBFC1B, Version 20.018 and prior (discontinued as of June 2016)
• 1756-EN2F
Series A, all versions
Series B, all versions
• 1756-EN2T
Series A, all versions
Series B, all versions
Series C, all versions
Series D, Version 10.007 and prior,
• 1756-EN2TR
Series A, all versions
Series B, all versions
• 1756-EN3TR
Series A, all versions

The vulnerability in the CompactLogix’s web application allows an attacker to inject arbitrary JavaScript into a user’s web browser. The target of this type of attack is not the CompactLogix itself. Instead, the CompactLogix is a vehicle used to deliver an attack to the web browser.

CVE-2016-2279 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

The products see use in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. The products are also deployed in a global basis.

Rockwell Automation recommends users of 1769-L23E-QB1B migrate to 1769-L24ER-BB1B and users of 1769-L23E-QBFC1B migrate to 1769-L24ER-QBFC1B.

For 1756-EN2F Series C, 1756-EN2T Series D, 1756-EN2TR Series C, and 1756-EN3TRSeries B, Rockwell Automation recommends users apply FRN 10.010 or later.

For earlier versions: Users using previous series of the affected 1756 EtherNet/IP catalog numbers are urged to assess their risk and, if necessary, contact their local distributor or sales office in order to upgrade to a newer product line that contains the relevant mitigations.

For the other affected versions listed above, Rockwell Automation recommends users apply firmware Version 28.011+.

For more detailed information, please see Rockwell Automation’s security notification (KB731098), available with a valid account.

Rockwell Automation also recommends the following security practices:
• Do not click on or open URL links from untrusted sources.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.



Leave a Reply

You must be logged in to post a comment.