The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

The web-server password-authentication functionality in Rockwell Automation MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

The web-server password-authentication functionality in Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic.

The installed firmware on the remote Allen-Bradley MicroLogix 1400 controller is affected by multiple vulnerabilities :

  - A flaw exists when handling messages that modify     specific bits in status files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted message, to cause a denial of service     condition. (CVE-2012-4690)

  - A flaw exists in the Ethernet/IP protocol implementation     when handling a CIP message that specifies a     logic-execution 'stop' command. An unauthenticated,     remote attacker can exploit this, via a specially     crafted message, to cause a denial of service condition.
    (CVE-2012-6435)

  - A buffer overflow condition exists due to improper     validation of user-supplied input when parsing CIP     packets. An unauthenticated, remote attacker can exploit     this, via a malformed packet, to cause a denial of     service condition. (CVE-2012-6436, CVE-2012-6438)

  - A flaw exists due to a failure to properly authenticate     Ethernet firmware updates. An unauthenticated, remote     attacker can exploit this, via a trojan horse update     image, to execute arbitrary code. (CVE-2012-6437)

  - A flaw exists when handling CIP messages that modify     network and configuration parameters. An     unauthenticated, remote attacker can exploit this, via a     specially crafted message, to cause a denial of service     condition. (CVE-2012-6439)

  - A flaw exists due to a failure to properly restrict     session replaying. A man-in-the-middle attacker can     exploit this, via HTTP traffic, to conduct a replay     attack. (CVE-2012-6440)

  - An information disclosure vulnerability exists in the     Ethernet/IP protocol implementation when handling the     'dump' command. An unauthenticated, remote attacker     can exploit this, via a specially crafted CIP packet,     to disclose the boot code of the device. (CVE-2012-6441)

  - A flaw exists in the Ethernet/IP protocol implementation     when handling a CIP message that specifies a 'reset'     command. An unauthenticated, remote attacker can exploit     this, via a specially crafted message, to cause a denial     of service condition. (CVE-2012-6442)

Note that Nessus has not tested for these issues but has instead relied only on the firmware's self-reported version number.

The Rockwell Automation MicroLogix 1100 PLC integrated web server has a firmware version that is prior to Series B FRN 12.0. It is, therefore, affected by an authentication bypass vulnerability due to a failure to properly restrict session replays. A man-in-the-middle attacker via HTTP traffic can use a session replay attack to bypass the web server's authentication mechanism.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the self-reported version number.

ID	Name	Product	Family	Severity
500111	Rockwell Automation ControlLogix controllers Improper Authentication (CVE-2012-6440)	Tenable OT Security	Tenable.ot	high
720028	Rockwell Automation/Allen-Bradley Ethernet/IP Products Authentication Bypass	Nessus Network Monitor	SCADA	critical
91345	Allen-Bradley MicroLogix 1400 Multiple Vulnerabilities	Nessus	SCADA	critical
84568	Rockwell Automation MicroLogix 1100 PLC < Series B FRN 12.0 MitM Replay Authentication Bypass	Nessus	SCADA	high

Detections

Analytics

CVE-2012-6440

critical

Tenable Plugins

high

critical

critical

high