PN893 | MicroLogix 1100 and 1400 Controller Vulnerabilities

Introduction

Description

Version 2.0 - December 8th 2015 (Original Release: October 27th 2015)

From June through October 2015, Rockwell Automation was notified of security vulnerabilities discovered in the Allen-Bradley MicroLogix 1100 and/or MicroLogix 1400 product families. One of these notifications was the security vulnerability (KB731427) previously disclosed during DEFCON 23 in August 2015.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has reproduced all of these vulnerabilities in both the MicroLogix 1100 and MicroLogix 1400 product families. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to these vulnerabilities, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

• 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.003 and earlier.
• 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

This vulnerability applies to both the MicroLogix 1100 and MicroLogix 1400 platforms. However, at this time a fix is only available for the MicroLogix 1100 product family. A future product update for the MicroLogix 1400 will be available in the November 2015 timeframe, and will include this vulnerability fix. Rockwell Automation will update this advisory at the time of the release.

03-DEC-2015 UPDATE: Version 15.004 is now available for the MicroLogix 1400 product. See below for more details.

CVE-2015-6490 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Vulnerability #2: Product Denial of Service

A Denial of Service ("DoS") condition may result on the MicroLogix 1100/1400 when an affected product receives a specific malicious web request, which would require user action to power cycle the product and restore it to a working state. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability. The impact to the user’s automation system would be highly dependent on the mitigations that the user may already employ.

CVE-2015-6492 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability #3: Remote File Inclusion

A Remote File Inclusion condition may result on the MicroLogix 1100/1400 when an attacker crafts a malicious link, using the built-in feature to "redirect" outside web content into the product’s web page frame. This outside web content could contain malicious content that would target the unsuspecting user’s web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

This vulnerability was first disclosed in publication KB731427 and ICS-ALERT-15-225-02A in August 2015.

CVE-2015-6491 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability #4: Stored Cross-site Scripting ("XSS")

Ilya Karpov of Positive Technologies identified a XSS vulnerability in both the MicroLogix 1100/1400. This vulnerability may allow an attacker to execute requests inject and store Javascript in the product’s web server, which would be executed on the user’s web browser when accessing the embedded web server function. The stored Javascript may be used to unknowingly execute web requests in the context of the user who is viewing the page. A factory reset is required to remove the stored Javascript.

CVE-2015-6488 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)

Vulnerability #5: Privilege Escalation through Structured Query Language ("SQL") Injection

Ilya Karpov of Positive Technologies has identified a Privilege Escalation vulnerability in the MicroLogix 1100/1400. Privilege Escalation may result when an attacker tricks an authorized user (through social engineering/phishing) to click on a specific and malicious link, which allows the attacker to create or escalate the privileges of an existing user to the administrative level. An authorized administrator is required to undo the changes made after the attack.

CVE-2015-6486 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L)

For additional information on CVSS v3 metrics, vectors, and scores, please see the First’s Common Vulnerability Scoring System Version 3.0.

RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

1. Update supported products based on this table:
   
   

   Product Family	Catalog Numbers	Hardware Series	Vulnerabilities Fixed	Suggested Actions
   MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series B	1, 2, 3, 4, and 5	- Apply FRN 15.000 (Downloads) - Apply the additional mitigations described below
   MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series A	None	- Apply the mitigations described below
   MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series B	1, 2, 3, 4, and 5.	- Apply FRN 15.004(Downloads) - Apply the additional mitigations described below
   MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-LK32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series A	None	- Apply the mitigations described below

   
   
2. Disable the web server on the MicroLogix 1100 and 1400, as it is enabled by default. See KB732398 for detailed instructions on disabling the web server for each controller platform.
3. Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
9. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

• Security Advisory Index, Knowledgebase article KB54102
• KB732398 Disable Web Server on MicroLogix
• ICS-CERT Advisory ICSA-15-300-03A Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A)

KCS Status