A serious vulnerability affecting some of Rockwell Automation’s MicroLogix and CompactLogix programmable logic controllers (PLCs) can be exploited by a remote attacker to redirect users to malicious websites.
According to advisories published by ICS-CERT and Rockwell Automation, the flaw, tracked as CVE-2019-10955 and assigned a CVSS score of 7.1 (high severity), impacts MicroLogix 1100 and 1400, and CompactLogix 5370 (L1, L2 and L3) controllers.
The issue, described by ICS-CERT as an open redirect vulnerability, is related to the web server running on these devices. This web server accepts user input from the PLCs web interface and a remote, unauthenticated attacker can inject a malicious link that redirects users from the controller’s web server to an arbitrary site.
“This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality,” Rockwell noted in its advisory (only available to registered users).
The vendor has released firmware updates for the affected controllers that should patch the vulnerability. Organizations that cannot install the updates have been advised to disable the web server and implement general security measures in order to prevent potential attacks.
Researchers Josiah Bryan and Geancarlo Palavicini have been credited for reporting the vulnerability to Rockwell Automation.