Executive Summary
A subset of MicroLogix™ controllers and RSLogix 500® software contain multiple vulnerabilities that could allow an attacker to gain access to sensitive project file information including passwords. Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies submitted reports to Rockwell Automation regarding several vulnerabilities found in the Allen-Bradley® MicroLogix controllers and RSLogix 500 software. A subset of these vulnerabilities was also independently co-discovered and reported by Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab.
Customers using affected versions of these products are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
MicroLogix 1400 Controllers
Series B, v21.001 and earlier
Series A, all versions
MicroLogix 1100 Controllers
All versions
RSLogix 500® Software
V12.001 and earlier
Vulnerability Details
CVE-2020-6990: Use of Hard-Coded Cryptographic Key
The cryptographic key utilized to help protect the account password is hard-coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.
CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
CVE-2020-6984: Use of a Broken or Risky Algorithm for Password Protection
The cryptographic function utilized to protect the password in MicroLogix is discoverable. This password protects access to the device. If successfully exploited a remote attacker could gain unauthorized access to the controller.
CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-6988: Use of Client-Side Authentication
A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller, and the controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.
CVSS v3.1 Base Score: 5.9/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
CVE-2020-6980: Unsecured SMTP Data Storage
If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project file or the controller, may be able to gather SMTP server authentication data as it is written to the project file in cleartext.
CVSS v3.1 Base Score: 4.0/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Acknowledgements:
| CVE# | Discovery Attribution |
| CVE-2020-6990 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. |
| CVE-2020-6984 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab. |
| CVE-2020-6988 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab. |
| CVE-2020-6980 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. |
Risk Mitigation & User Action
Customers are encouraged to assess their level of risk regarding their specific applications and update to the latest available firmware or software version that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.
Note: Customers using affected versions of MicroLogix 1400 or MicroLogix 1100 are urged to contact their local distributor or sales office to upgrade their devices to MicroLogix 1400 Series B or a newer product line.
| Product | Catalog Numbers | Suggested actions for CVE-2020-6990, CVE-2020-6984, and CVE-2020-6988 | Suggested actions for CVE-2020-6980 |
| MicroLogix 1400 controllers, Series B | 1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA | Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download). Use the Enhanced Password Security feature. | Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download). Use the Enhanced Password Security feature. |
| MicroLogix 1400 controllers, Series A | 1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA | No direct mitigation. | No direct mitigagion. |
| MicroLogix 1100 controllers. | 1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD | No direct mitigation. | No direct mitigation. |
| RSLogix 500® software | R324-RL0x | Apply version V11 or later (Download), used in conjunction with applied FRN 21.002 or later for MicroLogix 1400 Series B devices. Use the Enhanced Password Security feature. Other configurations, no direct mitigation. | No direct mitigation. |
General Security Guidelines
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of the Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
Additional Links:
