Severity:
Medium
Advisory ID:
PN1566
Published Date:
May 25, 2021
Last Updated:
May 25, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Não
Corrected:
Não
Workaround:
Não
CVE IDs
CVE-2021-32926
Summary
Micro800 and MicroLogix 1400 Vulnerable to Man-in-the-Middle Attack
Revision History
Revision Number
1.0
Revision History
Version 1.0 – May 25, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Adeen Ayub from Virginia Commonwealth University, Hyunguk Yoo from The University of New Orleans, and Irfan Ahmed from Virginia Commonwealth University regarding a man-in-the-middle vulnerability in the Micro800™ and MicroLogix™ 1400. If successfully exploited, this vulnerability may result in denial-of-service conditions. To recover from this condition, a firmware flash on the controller will need to be performed. Firmware flashing will put the controller into the default state and the user program and data will be lost.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
Micro800, all versions.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.
Vulnerability Details
CVE-2021-32926: Improper authentication may lead to denial of service conditions
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected controllers are directed towards risk mitigation. Rockwell Automation has determined that this vulnerability cannot be remediated with a patch. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller. The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
Vulnerability | Suggested Actions |
CVE-2021-32926 | Confirm that setting and updating the password for the controller is done within a trusted network environment that is only accessible to authorized users. |
If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller. The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
General Security Guidelines
- Use proper network infrastructure controls, such as firewalls, to confirm that CIP™ traffic from unauthorized sources is blocked.
- Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.