Introduction
Description
Version 1.0 -December 22, 2017
Thiago Alves, from the Center for Cybersecurity Researcher and Education at the University of Alabama, Huntsville contacted Rockwell Automation with a report detailing a potential vulnerability in the MicroLogix™ controller family that, if successfully exploited, could cause the controller to become unresponsive to Modbus TCP communications, and could potentially cause the controller to fault. Rockwell Automation has determined that several versions of the MicroLogix™ 1400 controller are affected by this vulnerability.
MicroLogix™ is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture; Critical Infrastructure; as well as Water and Wastewater Systems.
Customers using affected versions of this device are encouraged to evaluate the details of the vulnerability below as it applies to their specific device implementation, as well as to implement any applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.
AFFECTED PRODUCTS
MicroLogix 1400 Controllers, Series B and C
Versions 21.002 and earlier
This includes the following catalogs:
- 1766-L32AWA
- 1766-L32AWAA
- 1766-L32BWA
- 1766-L32BWAA
- 1766-L32BXB
- 1766-L32BXBA
VULNERABILITY DETAILS
A remote, unauthenticated attacker could send especially crafted Modbus TCP packets to the affected device in order to exploit a buffer overflow condition. The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault.
Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED ACTIONS
Customers using affected versions of the MicroLogix™ 1400 PLCs are encouraged to update to the newest available firmware versions that address associated risks and include added improvements to further help harden the device and enhance its resilience against similar malicious attacks.
- Update supported products based on this table:
| Product Family | Catalog Numbers | Hardware Series | Suggested Actions |
| MicroLogix 1400 | 1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA | Series B or C | - Apply FRN 21.003 (Downloads) - Apply the any additional mitigations below. |
- All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix™ 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.
GENERAL SECURITY GUIDELINES
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 22-Dec-2017 | 1.0 | Initial Release |
KCS Status
