PN641 | Security vulnerability in password mechanism of MicroLogix™ 1100 and 1400 Controllers

Introduction

Description

May 17, 2011 - Version 1.2

Rockwell Automation has identified a security vulnerability in specific versions of the MicroLogix™ family of programmable controllers. This vulnerability affects, and is limited to, the following MicroLogix 1100 and 1400 platforms:

• 1763-L16xxx, 1766-L32xxxx

Details of this vulnerability are as follows:

A denial of service results from a successful attack against the password mechanism employed in specific versions of the MicroLogix 1100 and 1400 controller platforms when the controller’s HTTP Server is enabled. When versions of these products are targeted with a specific attack, the potential exists for these products to enter a predefined fault mode and reset their product configuratoin back to factory-default state.User-intervention is necessary to reprogram and reconfigure the controller.

A successful attack on specific versions of the MicroLogix 1100 and 1400 controllers has the potential to cause a Denial of Service (DOS), loss of product availability and disruption to both product and system operation.

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously.

1. Upgrade all MicroLogix 1100 and 1400 controllers per the following table:
   

   Controller Platform	Catalog Number	Affected Firmware	Upgrade controller to firmware version
   MicroLogix 1100	1763-L16xxx	FRN 9 or earlier	-->	FRN 10 or higher
   MicroLogix 1400	1766-L32xxxx	Series A FRN 6 or earlier Series B FRN 10 and earlier	--> -->	Series A FRN 7 or higher Series B FRN 11 or higher
   Current firmware for MicroLogix can be obtained here: http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html

2. If there is no intention to use the controller’s HTTP server (i.e. web browser access), and the controller is connected to the network via Ethernet, prevent this potential compromise by unchecking HTTP Server Enable checkbox in the controller configuration settings available via RSLogix 500 or RSLogix Micro. Refer to publications 1763-um002_-en-p and 1766-um002_-en-p for more information on how to disable the HTTP Server (see Disable Web View).
3. Where possible, disable the capability to perform unauthorized remote programming, configuration or flash upgrades to controllers over a network by placing the controller’s key switch into RUN mode.
4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
5. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
6. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

Rockwell Automation remains committed to making additional security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status