Loading

PN937 | MicroLogix™ 1400 SNMP Credentials

Severity:
High
Advisory ID:
PN937
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2016-5645
Summary
MicroLogix™ 1400 SNMP Credentials

Introduction

Description

Version 1.0 - AUG-11-2016

In June 2016, Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group, reported to Rockwell Automation that an undocumented and privileged Simple Network Management Protocol ("SNMP") community string exists in the MicroLogix™ 1400 Programmable Logic Controller ("PLC") product. Knowledge of the undocumented community string may allow an attacker to make unauthorized changes to the product’s configuration, including firmware updates.

Rockwell Automation has evaluated the report and confirmed the existence of the undocumented community string in the MicroLogix 1400. We have further investigated and discovered that one of the SNMP community strings is hardcoded and cannot be changed by the user. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are also provided below.

AFFECTED PRODUCTS

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, all versions.

VULNERABILITY DETAILS

SNMP is a standard protocol employed by many types of internet protocol ("IP") based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product’s firmware, including the capability of applying firmware updates to the product. The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product..

By default, the MicroLogix 1400 enables SNMP and has these community strings in the product:

  • "public": allows read-only access.
  • "private": allows read-write access; is hardcoded; and is used by ControlFlash for firmware updates.
  • "wheel": allows read-write access and was previously undocumented for this product

Due to the nature of this product’s firmware update process, this capability cannot be removed from the product. Instead, mitigations are offered to reduce risk of this capability being used by a malicious actor..

CVE-2016-5645 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the MicroLogix 1400 are strongly encouraged to evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously.

  • Utilize the product’s "RUN" key switch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.
  • Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP.
    • Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
    • Note: Changing the SNMP community strings is not an effective mitigation.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

Copyright ©2022 Rockwell Automation, Inc.