Potentially Serious Vulnerability Patched in Rockwell Automation’s MicroLogix 1400 PLC

Rockwell Automation released a firmware update for its MicroLogix 1400 programmable logic controllers (PLCs) to resolve a potentially serious vulnerability. This type of flaw was reportedly leveraged in the December 2016 attack on the Ukrainian electrical grid to disable protection relays and make it more difficult for operators to recover.

The MicroLogix PLC family is used worldwide in industrial control systems (ICS) for critical infrastructure, food and agriculture, and water and wastewater sectors for controlling processes.

An expert from the University of Alabama in Huntsville (UAH) discovered that a flaw designated as CVE-2017-16740 affects several MicroLogix 1400 PLCs running firmware version 21.002 and earlier. The flaw is a buffer overflow vulnerability that can be triggered by specially crafted Modbus TCP packets sent to affected devices. CVE-2017-16740 can be exploited by a remote unauthenticated attacker.

The flaw has been classified as highly severe with a CVSS score of 8.6. Rockwell Automation’s advisory says it is susceptible to DoS attacks, while ICS-CERT added that it could also be exploited for remote code execution (RCE).

Rockwell Automation patched the vulnerability in December 2017 by releasing firmware version 21.003 for series B and series C hardware. A workaround to prevent remote access was released as well: users can disable Modbus TCP support if it’s not needed.

Stuxnet, a malware that was used to sabotage Iran’s nuclear program, also revealed how critical this type of flaw can be after it damaged PLCs that led to the compromise of one-fifth of Iran’s centrifuges. The emergence of malware that target the critical infrastructure of a foreign nation demonstrates how critical it is to find and fix problems within supervisory control and data acquisition (SCADA) systems.

MicroLogix 1400 Controllers, Series B and C Versions 21.002 and earlier, are affected by the vulnerability. Rockwell Automation also reports that the following catalogs are affected:

• 1766-L32AWA
• 1766-L32AWAA
• 1766-L32BWA
• 1766-L32BWAA
• 1766-L32BXB
• 1766-L32BXBA

Countermeasures

Users must implement measures to mitigate the risk of having this vulnerability exploited. NCCIC/ICS-CERT advises users to minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).

Trend Micro provides a variety of solutions for securing ICS and SCADA devices.

• Deep Security includes virtual patching for known vulnerabilities associated with OS and applications that may be running on these devices. Application Control can allow the device to only run known and approved OS/applications on these devices. Malware can be detected and removed using multiple scanning technologies. Integrity Monitoring is able to quickly identify any un-authorized changes to critical files.
• OfficeScan includes a variety of technologies to detect and protect against malware as well as web reputation to detect malicious URLs and command-and-control communications. USB device control is also included.
• Trend Micro Vulnerability Protection supports detecting known vulnerabilities associated with OS and applications that may be running on these devices.
• Trend Micro Endpoint Application Control can allow the device to only run known and approved OS/applications on these devices by locking down the operating system or running applications.