Security Experts:

Several Vulnerabilities Found in Rockwell Automation PLCs

ICS-CERT has published an advisory describing several vulnerabilities, including ones rated critical, in Rockwell Automation’s Allen-Bradley MicroLogix programmable logic controllers (PLCs). Firmware updates that patch the flaws are available only for some devices.

A total of five security holes were reported to Rockwell Automation by researchers at Georgia Tech, Fortiphyd Logic and Positive Technologies. They affect various models of the Allen-Bradley MicroLogix 1100 and 1400 PLCs, both series A and B, running version 16.00 and earlier of the firmware.

Rockwell Automation Allen-Bradley MicroLogix PLC

The most serious of the flaws, based on their CVSS scores, are related to authentication. One of the issues, tracked as CVE-2017-7898 and rated critical, refers to the fact that any number of incorrect passwords can be entered on the web server login page, which can allow brute force attacks.

Another critical weakness, CVE-2017-7903, is related to the fact that the web interface is protected by a numeric password whose maximum length is small. This weak password requirement can make brute-force attacks even easier to launch.

Two of the flaws found in Allen-Bradley MicroLogix PLCs have been rated “medium severity” with a CVSS score of 5.4. One of them is related to insufficiently random TCP initial sequence numbers and it can be exploited for denial-of-service (DoS) attacks, while the other is caused by the reuse of nonces and it allows an attacker to capture and replay valid requests.

The least severe vulnerability is an information disclosure issue. Researchers noticed that user credentials are sent to the web server via an HTTP GET request, which can expose the sensitive information.

Rockwell Automation has released firmware version 21.00 for Allen-Bradley MicroLogix 1400 Series B controllers to address these vulnerabilities. Updates are not available for the other affected products, but users can prevent potential attacks by disabling the web server if it’s not needed. In addition to disabling the web server, the vendor has advised customers to set the mode to RUN in the device’s LCD menu to prevent it from being re-enabled.

Rockwell has released firmware updates for several of its products in the past few months, and the company was among the automation vendors that recently warned customers of the risk of WannaCry ransomware attacks.

Related Reading: Rockwell Automation Teams With Claroty on Industrial Network Security

Related Reading: Rockwell Updates Stratix Routers to Patch Cisco IOS Flaws

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.