Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Several Vulnerabilities Found in Rockwell Automation PLCs

ICS-CERT has published an advisory describing several vulnerabilities, including ones rated critical, in Rockwell Automation’s Allen-Bradley MicroLogix programmable logic controllers (PLCs). Firmware updates that patch the flaws are available only for some devices.

ICS-CERT has published an advisory describing several vulnerabilities, including ones rated critical, in Rockwell Automation’s Allen-Bradley MicroLogix programmable logic controllers (PLCs). Firmware updates that patch the flaws are available only for some devices.

A total of five security holes were reported to Rockwell Automation by researchers at Georgia Tech, Fortiphyd Logic and Positive Technologies. They affect various models of the Allen-Bradley MicroLogix 1100 and 1400 PLCs, both series A and B, running version 16.00 and earlier of the firmware.

Rockwell Automation Allen-Bradley MicroLogix PLC

The most serious of the flaws, based on their CVSS scores, are related to authentication. One of the issues, tracked as CVE-2017-7898 and rated critical, refers to the fact that any number of incorrect passwords can be entered on the web server login page, which can allow brute force attacks.

Another critical weakness, CVE-2017-7903, is related to the fact that the web interface is protected by a numeric password whose maximum length is small. This weak password requirement can make brute-force attacks even easier to launch.

Two of the flaws found in Allen-Bradley MicroLogix PLCs have been rated “medium severity” with a CVSS score of 5.4. One of them is related to insufficiently random TCP initial sequence numbers and it can be exploited for denial-of-service (DoS) attacks, while the other is caused by the reuse of nonces and it allows an attacker to capture and replay valid requests.

The least severe vulnerability is an information disclosure issue. Researchers noticed that user credentials are sent to the web server via an HTTP GET request, which can expose the sensitive information.

Rockwell Automation has released firmware version 21.00 for Allen-Bradley MicroLogix 1400 Series B controllers to address these vulnerabilities. Updates are not available for the other affected products, but users can prevent potential attacks by disabling the web server if it’s not needed. In addition to disabling the web server, the vendor has advised customers to set the mode to RUN in the device’s LCD menu to prevent it from being re-enabled.

Rockwell has released firmware updates for several of its products in the past few months, and the company was among the automation vendors that recently warned customers of the risk of WannaCry ransomware attacks.

Advertisement. Scroll to continue reading.

Related Reading: Rockwell Automation Teams With Claroty on Industrial Network Security

Related Reading: Rockwell Updates Stratix Routers to Patch Cisco IOS Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.