Introduction
Description
September 9, 2014 - Version 1.0
Rockwell Automation was notified by independent researcher Matthew Luallen of CYBATI (https://cybati.org/) and ICS-CERT of a Denial of Service (DoS) vulnerability to the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified Mr. Luallen’s discovery and released revised product firmware to address associated risk. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.
AFFECTED PRODUCTS
In collaboration with Mr. Luallen, Rockwell Automation has determined certain Allen-Bradley MicroLogix 1400 controller platforms are affected by this vulnerability:
- 1766-Lxxxxx Series A FRN 7 or earlier;
- 1766-Lxxxxx Series B FRN 15.000 or earlier
Note: DNP3 communication is disabled by default in the product.
VULNERABILITY DETAILS
DNP3 communication is disabled by default in the MicroLogix 1400 product. If the DNP3 capability is enabled, specific versions of the product become susceptible to a Denial of Service (DoS) attack that can be triggered when the product receives a particular series of malformed packets over its Ethernet or local serial ports that are directed at the link layer DNP3 header.
Successful exploitation of this vulnerability results in a disruption of the DNP3 application layer process and a loss of product communication and availability on the network, thereby resulting in a denial of service condition. Exploitation of the vulnerability can be triggered remotely and the attack is repeatable. Furthermore, the DoS results will be successful regardless of controller’s mode switch setting.
Product recovery from the denial of service condition requires a power cycle, yet the product will remain susceptible to subsequent attacks until the vulnerability is addressed or the threat is adequately mitigated or removed.
RISK MITIGATIONS
A new version of MicroLogix 1400 Series B firmware has been released to address the vulnerability and reduce associated risk to successful exploitation. Subsequent versions of MicroLogix 1400 Series B firmware and newer will incorporate these same enhancements.
The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.
1. Upgrade all MicroLogix 1400 controllers per the following table:
| Controller Platform | Catalog Number | Affected Firmware | Recommendation | |
| MicroLogix 1400 | 1766-L32xxxx | Series B FRN 15.000 and earlier. Series A | à
à | Upgrade to Series B FRN 15.001 or higher (available now). Refer to additional recommended risk mitigations as provided herein. |
| Current firmware for the MicroLogix 1400 Series B platform can be obtained here:
| ||||
2. Do not enable DNP3 communication in the product unless required.
3. Where appropriate, prohibit DNP3 communication that originates outside the perimeter of the Manufacturing Zone from entry into the Zone by blocking communication directed at Ethernet communication port 20000/TCP* and 20000/UDP* using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
*Note: Ports 20000/TCP and 20000/UDP are factory defaults as per the DNP3 specification, but can be reconfigured by the product owner.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
6. Employ layered security, defense-in-depth methods and network segregation and segmentation practices in system design to restrict and control access to individual products and control networks. Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
