Introduction
Description
Released: October 26, 2012
Updated: August 2, 2013 <Update A>
On September 14, 2012, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 controller platform. Details relating to this vulnerability, including the existence of exploit code, have been made public by the researcher at various training events. At this time, no known exploit code relating to this vulnerability has been released to the public.
On October 2, 2012 Rockwell Automation independently initiated and maintained direct contact with the researcher to obtain pertinent facts relating to this matter due to lack of sufficient details shared through ICS-CERT. We continue to work with the researcher directly and keep him apprised of the expanded scope of impact from his initial findings.
As a matter of course, Rockwell Automation expanded scope of this evaluation beyond the MicroLogix 1400 platform in order to determine if this same threat-vector has potential to impact other A-B controller platforms. Rockwell Automation has reproduced the vulnerability. Due to the breadth of platforms potentially affected, we have been conducting thorough evaluations to ensure completeness in our risk assessment and mitigation process.
Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.
AFFECTED PLATFORMS
Rockwell Automation has determined the following A-B products are affected by this vulnerability:
MicroLogix 1100 controller
MicroLogix 1200 controller (all versions prior to 13.000)
MicroLogix 1400 controller
MicroLogix 1500 controller (all versions prior to 13.000)
SLC 500 controller platform
PLC5 controller platform
VULNERABILITY DETAILS
MicroLogix Controller Platform
The vulnerability in the MicroLogix controller platform occurs due to inadequate write protection measures on the controller’s Status file.
The MicroLogix controller is susceptible to a remotely exploitable Denial of Service (DoS) attack should it receive certain messages that change specific status bits in the controller’s Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
SLC 500 Controller Platform
The vulnerability in the SLC 500 controller platform occurs when the controller’s Status file property is not set to "Static," thereby allowing changes to the file contents.
When the SLC 500’s Status file is not configured to "Static," the SLC 500 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
PLC5 Controller Platform
The vulnerability in the PLC5 controller platform occurs when the controller’s "Password and Privileges" feature is disabled.
When the Passwords and Privileges feature of the PLC5 controller is not enabled, the PLC5 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
RISK MITIGATIONS
MicroLogix Controller Platform
<Begin Update A>
| Product | Recommended Action |
| MicroLogix 1100 controller | Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
| MicroLogix 1200 controller | Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
| MicroLogix 1400 controller | Upgrade product firmware to release 14.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
| MicroLogix 1500 controller | Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
<End Update A>
In addition to the above product-level mitigations, Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should be employed simultaneously:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
5. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
We will communicate additional mitigation strategies to our concerned customers should more direct product-level mitigations be developed that can further reduce associated risk from this vulnerability.
SLC 500 Controller Platform
Remote attempts to write data to the SLC 500 platform’s Status file are ignored and discarded by setting the controller’s Status file properties to "Static" via RSLogix 500 software.
Rockwell Automation recommends where possible that the Status file "Static" configuration setting be enabled to reduce the likelihood of successful exploitation of the vulnerability. The "Static" file property setting is configured in the Status File Properties page of RSLogix 500 software.
PLC5 Controller Platform
Remote attempts to write data to the PLC5 platform’s Status file are ignored and discarded by using the controller’s "Password and Privileges" feature, configured via RSLogix 5 software.
Rockwell Automation recommends where possible that the Passwords and Privileges feature be enabled to reduce the likelihood of successful exploitation of the vulnerability.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
