PN1015 | MicroLogix Controller Vulnerabilities

Introduction

Description

Version 1.0 - March 28, 2018

Jared Rittle and Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group contacted Rockwell Automation with a report detailing several vulnerabilities in the MicroLogix 1400™ controller family that, if successfully exploited, can have impacts ranging from Denial of Service to potential information disclosure.

Rockwell Automation has evaluated the contents of the researcher’s report and produced this disclosure, which provides details relating to these vulnerabilities and recommended countermeasures.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

VULNERABILITY DETAILS

The report from Cisco Talos contained six potential vulnerabilities. Rockwell Automation evaluated all six reported issues and provided fixes and/or mitigations after confirming the first five vulnerabilities. The sixth reported issue is listed below, however, Rockwell Automation has determined that this feature works as intended. Additional details are provided below.

Vulnerability #1: Denial of Service via Ethernet Functionality
A remote, unauthenticated attacker could potentially send a specially crafted packet to the Ethernet port of an affected controller, which puts the device in a fault state, and potentially deleting ladder logic.

CVE-2017-12088 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Denial of Service via Download Functionality
A remote, unauthenticated attacker could send a specially crafted packet to the controller during the standard download process. Without the proper packet to indicate download completion, the controller freezes in the download state for one minute before entering the fault state.

CVE-2017-12089 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: Denial of Service - SNMP-set request
A specially crafted SNMP-set request, when sent without associated SNMP-set commands for firmware flashing, can cause the device to power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.

CVE-2017-12090 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: Access Control Vulnerabilities
A remote, unauthenticated attacker could send a specially crafted packet to the affected device and utilize read or write operations that could result in several potential impacts, ranging from disclosure of sensitive information, modification of settings, or ladder logic modification.

Potential implications as a result of the vulnerability are listed below; each situation was reported to us by Cisco Talos and has been addressed by Rockwell Automation.

** Master Password not supported when using RSLogix 500 v11 and later with a MicroLogix 1400 controller flashed to FRN 21.002 or later.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned overall. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #5: File-Write vulnerability in Memory Module
A memory module installed in a MicroLogix controller that allows a user to instruct the controller to write its program to the module without authentication. The memory module is a back-up, but can also be used to load programs once an error occurs, and has the ability to load the program every time the device powers on.

CVE-2017-12092 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 3.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Reported Issue #6: Malicious Register Session Packets lead to Communication Loss
The MicroLogix 1400 controller supports ten active sessions at a time. The issue describes a scenario where a malicious user sends their own Register Session packets in order create their own connection to the controller, preventing valid users from accessing the PLC. However, when there are ten existing connections to the controller and another Register Session packet is sent, the oldest connection will be disconnected. The user whose online session has been disconnected receives the normal communication loss alert, upon which they can choose to reconnect.

CVE-2017-12093 has been assigned to this vulnerability by Cisco Talos. While evaluating this issue as a potential vulnerability, Cisco Talos assigned a CVSS v3.0 score of 5.3/10. For details, please follow the link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATION and RECOMMENDED USER ACTIONS

Customers using the affected controllers are strongly encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

1. Update the affected products per the table below:

Note: In addition, customers using affected versions of MicroLogix 1100 or MicroLogix 1400 Series A are urged to contact their local distributor or Sales Office in order to upgrade their devices to a newer product line.

1. Cisco Talos has created the following Snort rules (SIDs): 44424, 44425, 44426, 44427, 44428, and 44429 to detect exploits utilizing these vulnerabilities, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are not in the standard curated rule sets and must be enabled manually.
   
2. If not using external communications, block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
   
3. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.

GENERAL SECURITY GUIDELINES

1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
   
2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
   
3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status