Security Experts:

Flaws in Rockwell PLCs Expose Operational Networks

New "FrostyURL" Zero-Day in Rockwell Automation PLC Can Shut Down Operational Networks 

Industrial automation solutions provider Rockwell Automation on Tuesday released firmware updates and mitigations to address several vulnerabilities identified by researchers in some of the company’s programmable logic controllers (PLCs).

The security holes, reported by experts from Positive Technologies, CyberX, and Elastica, affect Allen-Bradley MicroLogix 1100 and 1400 series PLC systems. These products are deployed worldwide in sectors such as chemical, food and agriculture, critical manufacturing, and water and wastewater systems.

An advisory published by ICS-CERT names the following vulnerable controller platforms: 1763-L16AWA, 1763-L16BBB, 1763-L16BWA, and 1763-L16DWD hardware series A and B running firmware version 14.000 and prior; and 1766-L32AWA, 1766-L32AWAA, 1766-L32BWA, 1766-L32BWAA, 1766-L32BXB, and 1766-L32BXBA hardware series A and B running firmware version 15.002 and prior.

Paralyzing Operational Networks via “FrostyURL” Vulnerability

One of the high severity issues affecting MicroLogix controllers was detailed today by CyberX, a company that specializes in protecting operational networks, at SecurityWeek's 2015 ICS Cyber Security Conference in Atlanta, GA. The weakness, a denial-of-service (DoS) bug dubbed by the company “FrostyURL” (CVE-2015-6492), can be exploited to crash MicroLogix PLCs.

Exploiting PLCs at ICS Cyber Security Conference


Nir Giller and David Atch from CyberX Presenting at the 2015 ICS Cyber Security Conference on Oct. 28, 2015.

According to CyberX, an attacker can exploit the vulnerability via a specially crafted URL that can be sent to the victim via email. In an attack scenario described by the company, the attacker sends an email containing the malicious URL to a technician. The targeted technician might read his emails from a laptop that he also connects to the operational network as part of ongoing daily activities. If the malicious URL is opened when the laptop is connected to the operational network, a malicious JavaScript snippet is executed in the victim’s web browser and any network-accessible PLC that is plagued by the DoS vulnerability freezes.

CyberX told SecurityWeek that the vulnerability can also be exploited against PLCs that are accessible over the Internet.

“Once you have the destructive URL, anyone can exploit the vulnerability, this does not require a sophisticated hacker. The URL can be non-suspicious, it can even appear as an internal link, in an email message to an employee,” explained Nir Giller, CTO of CyberX. “It blew our minds how simple it is. This can end up with a shutdown of a harbor full of hazardous materials, or cause significant damage to a plant, as happened in Germany just over a year ago.”

Another serious vulnerability found by CyberX, with a CVSS score of 9.8, is a buffer overflow bug (CVE-2015-6490) that can be exploited to remotely crash affected devices or execute arbitrary code. CyberX told SecurityWeek that it reported this flaw to Rockwell Automation on October 1.

CyberX says it has used an “innovative technique” to identify and exploit the vulnerabilities in MicroLogix PLCs. Researchers developed a piece of firmware that uses a special algorithm for searching the firmware code and mapping potentially vulnerable functions. The firmware is uploaded to a test device by bypassing a security mechanism for firmware validation, allowing experts to easily develop working exploits that can later be used against equipment that hasn’t been tampered with.

Giller told SecurityWeek that the technique can be adapted for other products as well. The expert pointed out that while the latest firmware updates address the flaws reported by CyberX, they don’t fix the validation issue that allowed them to upload their specially crafted firmware.

Unrestricted File Upload, XSS, and SQL Injection Flaws in MicroLogix PLC

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs and an expert in industrial control system (ICS) security, has identified a vulnerability described as “unrestricted upload of file with dangerous type.”

The flaw, identified as CVE-2015-6491, allows an attacker to inject or include files of dangerous types that can be automatically processed within the affected product’s environment, Sood told SecurityWeek.

Sood has also discovered a stored cross-site scripting (XSS) vulnerability (CVE-2015-6488) that can be exploited to inject malicious JavaScript code in a device’s web server. This code is executed in the user’s web browser when the embedded web server function is accessed. A factory reset of the device is required to remove the malicious code, ICS-CERT said.

ICS-CERT’s advisory also describes a SQL injection flaw (CVE-2015-6486) that allows a remote attacker to create or delete new users, and escalate their privileges by getting an administrator to execute a specially crafted link.

Response from Rockwell Automation

ICS-CERT says the firmware updates released by Rockwell Automation don’t patch the vulnerabilities in all the affected products. In some cases, organizations must implement mitigations to protect themselves against potential attacks.

Rockwell Automation says it has released firmware updates for both MicroLogix 1100 and 1400 PLCs.

Rockwell Automation provided the following statement to SecurityWeek:

Rockwell Automation shares the concern of our customers about the recent public disclosure of vulnerabilities regarding the MicroLogix1100 product family. Researchers identified vulnerabilities that would make products susceptible to remote code execution, product denial of service, remote file inclusion, stored cross-site scripting, privilege escalation and web server denial of service.

The company has taken rapid steps to respond to these vulnerabilities and has offered product updates that are available today. In addition to the product updates, there are recommended mitigation steps that customers can take to further protect their environment.

Updated product firmware and these additional modifications are located here. The firmware upgrade requires a KnowledgeBase account, and there is no charge to our customers for that account or for the firmware upgrade. Rockwell Automation is ready to serve our customers and help them understand and address security risks that may impact their control system operations while we continue to help them safeguard their people, property and information.

We encourage our customers to remain vigilant as technology continues to evolve. As an industrial security leader, Rockwell Automation is committed to rapidly responding to new and ongoing security threats. For more details, go to

view counter