PN910 | MicroLogix 1100 Web Server Buffer Overflow

Introduction

Description

Version 1.0 – January 26th 2016

In December 2015, Rockwell Automation was notified by ICS-CERT of a Buffer Overflow security vulnerability discovered in the web server of the Allen-Bradley MicroLogix 1100 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified this discovery and released revised product firmware to address associated risk. ICS-CERT published an advisory (ICSA-16-026-02) to cover this vulnerability.

Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

• 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 15.000 and earlier.

VULNERABILITY DETAILS

Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a request from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

CVE-2016-0868 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

1. Update supported products based on this table:

   Product Family	Catalog Numbers	Hardware Series	Suggested Actions
   MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series B	- Apply FRN 15.002 (Downloads) - Apply the additional mitigations described below
   	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series A	- Apply the additional mitigations described below

2. Disable the web server on the MicroLogix 1100, as it is enabled by default. See KB 732398 for detailed instructions on disabling the web server for each controller platform.
3. Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
9. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

• Security Advisory Index, Knowledgebase article KB:54102
• KB732398 Disable Web Server on MicroLogix

KCS Status