PN561 | Client Software Authentication Security Vulnerability in MicroLogix™ Controllers

Introduction

Description

Original disclosure: December 18, 2009

Updated: January 20, 2010

Updated: March 19, 2013 - version 1.0 (see below)

Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").

Details of this vulnerability are as follows:

The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept data communications between the product and any authorized programming and configuration client to RSEmulate the role of a trusted software client to potentially make unauthorized changes to the Product’s operation.

<START UPDATE>

Added: 20 Jan 2010

RISK MITIGATION

Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful exploitation of the vulnerability.

MicroLogix 1400

Catalog Number	Description	Affected Products	Corrective Firmware
1766-L32xxxx	MicroLogix 1400 controller	Series B FRN 11 or earlier	FRN 12 or higher
Current firmware for MicroLogix can be obtained here: http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html

<END UPDATE>

<START UPDATE>

Added: 19 March 2013

Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.

In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.

NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.

For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection

<END UPDATE>

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):

1. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.

1. Enable static protection on all critical data table files to prevent any remote data changes to critical data.

1. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

1. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

In addition to these immediate risk mitigation strategies, Rockwell Automation is addressing this potential security vulnerability in the Product and associated programming and configuration software. Lastly, Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status