PN967 | MicroLogix Controller v21 Security Updates

Introduction

Description

Version 1.0 - April 25, 2017

Multiple vulnerabilities exist in certain MicroLogix™ 1100 and 1400 controllers that, if successfully exploited, can allow unauthorized access to the web server, tamper with firmware, or cause a Denial of Service. MicroLogix is a family of Programmable Logic Controllers (PLCs) used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers, Series A and B

• 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA
  Version 16.00 and earlier.

MicroLogix 1100, Series A and B

• 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD
  Version 16.00 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Weak Password Resolution

MicroLogix products use a numeric password that has a small number of maximum characters, making it easier for a user to guess the password. There is no penalty for incorrect passwords, so the attack can be repeated until the victim’s password is identified. Once a controller password is identified, the attacker is able to communicate with the controller and make disruptive changes.

A CVSS v3 base score of 9.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-7898 and CVE-2017-7903 have been assigned to this vulnerability.

Vulnerability #2: Firmware Tampering

Series C versions of MicroLogix 1400 firmware (FRN 21.00 and later) are digitally signed, whereas Series A and B are NOT digitally signed. When a new version of firmware is uploaded to the Series C product, the update will only proceed if the firmware’s digital signature is determined to be authentic.

A CVSS v3 base score of 8.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability #3: TCP Sequence Prediction Attack

An unauthorized, remote attacker has the potential to send counterfeit packets to a target host by predicting the TCP initial sequence numbers. The attacker may spoof or disrupt TCP connections that could potentially cause a Denial of Service to the target.

A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

CVE-2017-7901 has been assigned to this vulnerability.

Vulnerability #4: Improper Nonce Usage

A vulnerability exists in the HTTP Digest Authentication implementation that could allow an unauthorized, remote attacker to observe a valid HTTP request and replay that request back to the server. The attacker needs to observe an actual HTTP request that they wish to replay back to the server. The impact to this attack is limited to the functions that the web server has exposed.

A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CVE-2017-7902 has been assigned to this vulnerability.

Vulnerability #5: User Credentials Sent via GET method

Ilya Karpov reported to Rockwell Automation that form values, including user credentials, are sent to the web server via an HTTP GET method, which may also log the credentials in network monitoring tools. An attacker with access to these logs could potentially harvest these passwords, which may further allow the attacker access to the webserver, or other systems that share the same user credentials.

A CVSS v3 base score of 3.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

CVE-2017-7899 has been assigned to this vulnerability.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected products are encouraged to update to the latest firmware version that addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.

Customers who are unable to update their software are directed towards risk mitigation strategies provided in this document below. Where feasible, additional precautions and risk mitigation strategies, like those listed below, are similarly recommended. Employ multiple strategies when possible.

1. Disable the web server on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
2. Set the mode to RUN via LCD soft keyswitch to prohibit any re-enabling of the web server while the keyswitch is in this mode. This also protects against unauthorized firmware upgrades.

GENERAL SECURITY GUIDELINES

1. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
2. Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

• Security Advisory Index, Knowledgebase article 54102
  
• Industrial Firewalls within a CPwE Architecture
  
  
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status