Allen-Bradley MicroLogix 1400 Multiple Vulnerabilities

critical Nessus Plugin ID 91345

Synopsis

The remote Allen-Bradley MicroLogix 1400 controller is affected by multiple vulnerabilities.

Description

The installed firmware on the remote Allen-Bradley MicroLogix 1400 controller is affected by multiple vulnerabilities :

- A flaw exists when handling messages that modify specific bits in status files. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-4690)

- A flaw exists in the Ethernet/IP protocol implementation when handling a CIP message that specifies a logic-execution 'stop' command. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition.
(CVE-2012-6435)

- A buffer overflow condition exists due to improper validation of user-supplied input when parsing CIP packets. An unauthenticated, remote attacker can exploit this, via a malformed packet, to cause a denial of service condition. (CVE-2012-6436, CVE-2012-6438)

- A flaw exists due to a failure to properly authenticate Ethernet firmware updates. An unauthenticated, remote attacker can exploit this, via a trojan horse update image, to execute arbitrary code. (CVE-2012-6437)

- A flaw exists when handling CIP messages that modify network and configuration parameters. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-6439)

- A flaw exists due to a failure to properly restrict session replaying. A man-in-the-middle attacker can exploit this, via HTTP traffic, to conduct a replay attack. (CVE-2012-6440)

- An information disclosure vulnerability exists in the Ethernet/IP protocol implementation when handling the 'dump' command. An unauthenticated, remote attacker can exploit this, via a specially crafted CIP packet, to disclose the boot code of the device. (CVE-2012-6441)

- A flaw exists in the Ethernet/IP protocol implementation when handling a CIP message that specifies a 'reset' command. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-6442)

Note that Nessus has not tested for these issues but has instead relied only on the firmware's self-reported version number.

Solution

Upgrade to the latest firmware version, or if not possible, apply the mitigation steps that are recommended by the vendor.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-13-011-03

https://ics-cert.us-cert.gov/advisories/ICSA-12-342-01B

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-020-02A

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F470154

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F470155

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F470156

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F54102

Plugin Details

Severity: Critical

ID: 91345

File Name: scada_AB_micrologix_1400.nbin

Version: 1.48

Type: remote

Family: SCADA

Published: 5/27/2016

Updated: 7/19/2022

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/h:rockwellautomation:ab_micrologix_controller:1400

Required KB Items: SCADA/ethernetip/cip/tcp/identity/vendorname, SCADA/ethernetip/cip/tcp/identity/devicetype, SCADA/ethernetip/cip/tcp/identity/product, SCADA/ethernetip/cip/tcp/identity/revision

Exploit Ease: No known exploits are available

Patch Publication Date: 7/18/2012

Vulnerability Publication Date: 1/19/2012

Reference Information

CVE: CVE-2012-4690, CVE-2012-6435, CVE-2012-6436, CVE-2012-6437, CVE-2012-6438, CVE-2012-6439, CVE-2012-6440, CVE-2012-6441, CVE-2012-6442

BID: 56872, 57306, 57307, 57308, 57309, 57310, 57311, 57315, 57317