Introduction
Description
September 17, 2015 - Version 1.0
On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 product family. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public. ICS-CERT published an alert (ICS-ALERT-15-225-02A) to cover this vulnerability.
As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability in the MicroLogix 1400, and further discovered and reproduced the vulnerability in the MicroLogix 1100 product family. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.
Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.
AFFECTED PRODUCTS
- 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.002 and earlier.
- 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.
Rockwell Automation will resolve this vulnerability in the next minor revision of product firmware, currently expected to be available in the October 2015 timeframe. This advisory will be updated to provide upgrade information when it is available.
VULNERABILITY DETAILS
The vulnerability in the MicroLogix’s webserver allows an attacker to inject arbitrary web content into an unsuspecting user’s web browser by using a built-in feature to "redirect" outside web content into the product’s web pages. This outside web content could contain malicious content that would target the web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the MicroLogix itself. Instead, the MicroLogix is used as a vehicle to deliver an attack to a device running a web browser.
A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.
RISK MITIGATIONS
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
KCS Status
