PN885 | CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Introduction

Description

Version 1.2 - November 1, 2018

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley® CompactLogix™ controller platform. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the CompactLogix™ platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

2016-03-01 UPDATE v1.1: Rockwell Automation has identified additional products containing this vulnerability, and these products are listed below. See the Risk Mitigations section below for information on available product firmware updates.

2018-11-01 UPDATE v1.2: Rockwell Automation received a report from an external researcher identifying additional product families that contain this vulnerability. These products are listed below. Please see the Risk Mitigations section for information on available firmware updates that address these vulnerabilities.

AFFECTED PRODUCTS/TECHNOLOGIES

2016-03-01 UPDATE: Additional Products:

• 1769-L23E-QB1B, Version 20.018 and earlier (Will be discontinued in June 2016)
• 1769-L23E-QBFC1B, Version 20.018 and earlier (Will be discontinued in June 2016)

2018-11-01 UPDATE: Additional Products:

• 1756-EN2F
  • Series A, All Versions
  • Series B, All Versions
• 1756-EN2T
  • Series A, All Versions
  • Series B, All Versions
  • Series C, All Versions
  • Series D, Version 10.007 and earlier
• 1756-EN2TR
  • Series A, All Versions
  • Series B, All Versions
• 1756-EN3TR
  • Series A, All Versions

• 1769-L16ER-BB1B, Version 27.011 and earlier
• 1769-L18ER-BB1B, Version 27.011 and earlier
• 1769-L18ERM-BB1B, Version 27.011 and earlier
• 1769-L24ER-QB1B, Version 27.011 and earlier
• 1769-L24ER-QBFC1B, Version 27.011 and earlier
• 1769-L27ERM-QBFC1B, Version 27.011 and earlier
• 1769-L30ER, Version 27.011 and earlier
• 1769-L30ERM, Version 27.011 and earlier
• 1769-L30ER-NSE, Version 27.011 and earlier
• 1769-L33ER, Version 27.011 and earlier
• 1769-L33ERM, Version 27.011 and earlier
• 1769-L36ERM, Version 27.011 and earlier

VULNERABILITY DETAILS

The vulnerability in the web application of the affected device allows an attacker to inject arbitrary JavaScript into an unsuspecting user’s web browser by a process known as Reflective Cross Site Scripting. The impact to the user’s automation system would be highly dependent on both the type of JavaScript exploit included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the Programmable Automation Controller or Communications module itself. Instead, they are vehicles to deliver an attack to the web browser.

A successful attack would not compromise the integrity of the device nor allow access to confidential information contained on it. On rare occasions, the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

CVE-2016-2279 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

RISK MITIGATIONS

1. The following table summarizes available mitigations for each affected product:
   2018-11-01 UPDATE: Added 1756 ControlLogix Ethernet/IP Communications Modules

   Platform	Catalog Number	Recommendation
   1756 ControlLogix® EtherNet/IP Communications Modules	1756-ENBT, All Versions 1756-EN2F Series A, All versions Series B, All versions 1756-EN2T Series A, All Versions Series B, All Versions Series C, All Versions 1756-EN2TR Series A, All Versions Series B, All Versions 1756-EN3TR Series A	No direct mitigation provided. See NOTE: below for recommended actions.
   1756 ControlLogix® EtherNet/IP Communications Modules	1756-EN2F, Series C 1756-EN2T, Series D 1756-EN2TR, Series C 1756-EN3TR, Series B	Apply FRN 10.010 or later (Download)
   Small Controllers: CompactLogix™ 5370 L1 CompactLogix™ 5370 L2 CompactLogix™ 5370 L3	1769-L16XX 1769-L18XX 1769-L24XX 1769-L27XX 1769-L30XX 1769-L33XX 1769-L36XX	1. Apply FRN 28.011 or later (Download) 2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030
   CompactLogix™ Packaged Controllers	1769-L23E-QB1B 1769-L23E-QBFC1B	Discontinued as of June 2016 1.1769-L23E-QB1B: Recommend Migration to 1769-L24ER-BB1B 1769-L23E-QBFC1B: Recommend Migration to 1769-L24ER-QBFC1B 2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030

   NOTE: Customers using previous series of the affected 1756 EtherNet/IP catalog numbers are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

2. Do not click on or open URL links from untrusted sources.
3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Interne.
5. Locate control system networks and devices behind firewalls, and isolate them from the business network
6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• ICSA-16-061-02 Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability

REVISION HISTORY

KCS Status