Rockwell Automation has new firmware that can mitigate an improper input validation vulnerability in its MicroLogix 1100 Controllers, according to a report with ICS-CERT.
Successful exploitation of this vulnerability, discovered by Mark Gondree of Sonoma State University, Francisco Tacliad and Thuy Nguyen of the Naval Postgraduate School, could cause the device the attacker is accessing to enter a Denial-of-Service (DoS) condition.
The following versions of MicroLogix 1100 controllers suffer from the issue:
No known public exploits specifically target this vulnerability, which is not remotely exploitable. An attacker with high skill level could leverage the vulnerability.
In the vulnerability, a remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.
CVE-2017-7924 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The device sees action in the critical manufacturing, food and agriculture, transportation systems and water and wastewater systems sectors. It also sees use on a global basis.
Milwaukee, WI-based Rockwell Automation recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818/TCP and UDP using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Rockwell Automation’s Knowledgebase Article ID 898270.
• Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network. The Common Plant-wide Ethernet (CPwE) guide provides recommendations for deploying a plant-wide architecture: Industrial Firewalls within a CPwE Architecture
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Rockwell Automation recommends updating to the latest firmware revision of MicroLogix 1100 controllers, Version FRN 16.0 or later.
For more information on this vulnerability and more detailed mitigation instructions, see Rockwell Automation’s advisory.
For more details, click on Rockwell Automation’s security page.