Rockwell Automation released a firmware update for its MicroLogix 1400 programmable logic controllers (PLCs) to resolve a potentially serious vulnerability. This type of flaw was reportedly leveraged in the December 2016 attack on the Ukrainian electrical grid to disable protection relays and make it more difficult for operators to recover.
The MicroLogix PLC family is used worldwide in industrial control systems (ICS) for critical infrastructure, food and agriculture, and water and wastewater sectors for controlling processes.
An expert from the University of Alabama in Huntsville (UAH) discovered that a flaw designated as CVE-2017-16740 affects several MicroLogix 1400 PLCs running firmware version 21.002 and earlier. The flaw is a buffer overflow vulnerability that can be triggered by specially crafted Modbus TCP packets sent to affected devices. CVE-2017-16740 can be exploited by a remote unauthenticated attacker.
The flaw has been classified as highly severe with a CVSS score of 8.6. Rockwell Automation’s advisory says it is susceptible to DoS attacks, while ICS-CERT added that it could also be exploited for remote code execution (RCE).
Rockwell Automation patched the vulnerability in December 2017 by releasing firmware version 21.003 for series B and series C hardware. A workaround to prevent remote access was released as well: users can disable Modbus TCP support if it’s not needed.
Stuxnet, a malware that was used to sabotage Iran’s nuclear program, also revealed how critical this type of flaw can be after it damaged PLCs that led to the compromise of one-fifth of Iran’s centrifuges. The emergence of malware that target the critical infrastructure of a foreign nation demonstrates how critical it is to find and fix problems within supervisory control and data acquisition (SCADA) systems.
MicroLogix 1400 Controllers, Series B and C Versions 21.002 and earlier, are affected by the vulnerability. Rockwell Automation also reports that the following catalogs are affected:
Users must implement measures to mitigate the risk of having this vulnerability exploited. NCCIC/ICS-CERT advises users to minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).
Trend Micro provides a variety of solutions for securing ICS and SCADA devices.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.