Severity:
High
Advisory ID:
PN1545
Published Date:
January 28, 2021
Last Updated:
January 28, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-22659
Summary
Modbus Vulnerability may lead to Denial-of-Service conditions in the MicroLogix 1400 Controller
Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 28, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS, Veermata Jijabai Technological Institute (VJTI), India regarding a vulnerability in the MicroLogix™ 1400 controller. If successfully exploited, this vulnerability may result in denial-of-service conditions.
This vulnerability does not impact MicroLogix 1400 controller users who have Modbus TCP disabled.
Customers using affected versions of this controller are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
MicroLogix 1400, all series version 21.6 and below.
Vulnerability Details
CVE-2021-22659: Buffer Overflow may lead to Denial-of-Service Conditions
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.
CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.
CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
Risk Mitigation & User Action
Customers using the affected controller are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.
All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Software/PC-based Mitigation Strategies
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls (such as firewalls) to help ensure Modbus TCP from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
Software/PC-based Mitigation Strategies
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
- Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.