There are multiple vulnerabilities in Rockwell Automation’s Allen-Bradley MicroLogix 1400 Programmable Logic Controllers (PLCs) that could modify device configuration and ladder logic, write modified program data into the device’s memory module, erase program data from the device’s memory module, or conduct Denial of Service (DoS) attacks against affected devices, according to a report from researchers.
Depending on the affected PLCs within an industrial control process, the vulnerabilities could result in significant damages, said researchers at Cisco Talos Group.
The following versions are affected by these vulnerabilities:
• Allen-Bradley Micrologix 1400 Series B FRN 21.003
• Allen-Bradley Micrologix 1400 Series B FRN 21.002
• Allen-Bradley Micrologix 1400 Series B FRN 21.0
• Allen-Bradley Micrologix 1400 Series B FRN 15
Rockwell’s Allen-Bradley MicroLogix 1400 Programmable Logic Controllers (PLCs) see use in a variety of different Industrial Control System (ICS) applications and processes.
Because of that, these devices are often relied upon for the performance of critical process control functions in different critical infrastructure sectors.
Previously, Cisco Talos released details regarding a vulnerability in these devices.
In a continuing analysis of these devices, Jared Rittle and Patrick DeSantis of the Cisco Talos team discovered additional issues.
The following are vulnerability details provided by Cisco Talos:
Allen-Bradley MicroLogix 1400 Series B Ethernet Card malformed packet denial of service vulnerability:
This vulnerability would allow an unauthenticated attacker to send a specially crafted packet causing affected devices to power cycle and enter into a fault state. This results in the deletion of ladder logic previously stored on the devices. It is important to note this vulnerability is not leveraged using the EtherNet/IP protocol, so simply disabling EtherNet/IP using RSLogix will not provide effective mitigation.
Allen-Bradley MicroLogix 1400 Series B ladder logic program download device fault denial of service vulnerability:
This vulnerability would allow an unauthenticated attacker to send a specially crafted packet causing a denial of service condition. The vulnerability lies in the program download functionality of affected devices, allowing an attacker to force the devices into a fault condition by sending an ‘Execute Command List’ (CMD 0x0F, FNC 0x88) packet without following it up with a ‘Download Complete’ (CMD 0x0F, FNC 0x52). When this occurs, the device processes this as a failure condition and enters the non-user fault mode, causing it to cease normal operations and delete any stored logic.
Allen-Bradley MicroLogix 1400 Series B SNMP-set processing incorrect behavior order denial of service vulnerability:
This vulnerability is related to how the devices process ‘snmp-set’ commands received during a firmware update and could allow an authenticated attacker to cause a Denial of Service condition to occur on affected devices. By sending a specially crafted ‘snmp-set’ command without sending the subsequent ‘snmp-set’ commands that are normally associated with the final command sent during the firmware update process, the attacker could force the device to power cycle making it unavailable for the duration of the reboot process.
Allen-Bradley MicroLogix 1400 Series B unauthenticated data/program/function file improper access control vulnerability:
This vulnerability is related to improper file access controls on affected devices. This vulnerability allows an unauthenticated attacker to perform read and write operations on files stored on the devices. This could be used to retrieve sensitive information from affected devices including the device master password, modify device settings or ladder logic, or cause the device to enter a fault condition causing a Denial of Service condition.
Allen-Bradley MicroLogix 1400 Series B memory module store program file write vulnerability:
This vulnerability allows an unauthenticated remote attacker to write the online program to the installed memory module on affected devices. An attacker could use this to store program modifications that are unable to take effect until a device power cycle. An attacker could subsequently use the newly stored program in conjunction with the ‘Load Memory Module On Memory Error’ setting to modify system settings, resulting in changes to enabled services.
Allen-Bradley MicroLogix 1400 Series B PLC session communication insufficient resource pool denial of service vulnerability:
This vulnerability is present in the session connection functionality on affected devices. By default, these devices support a maximum of ten simultaneous connections. Once this maximum has been reached, the device will terminate the oldest connection to make room in the connection pool for new connections that are established with the device. An unauthenticated attacker can send several ‘Register Session’ packets over a period of time to force legitimate connections to be terminated and prevent the establishment of additional legitimate connections to affected devices.