Rockwell Allen-Bradley MicroLogix, SLC 500, and PLC-5 Fault Generation Vulnerability
Low RiskICS-CERT ICSA-12-342-01BSep 10, 2012
Summary
A fault generation vulnerability exists in Rockwell Automation MicroLogix (1100, 1200, 1400, 1500), SLC 500, and PLC-5 controller platforms. The vulnerability allows manipulation of fault handling logic through crafted input or network requests, potentially causing unintended control logic execution or system instability. All versions of these legacy controllers are affected. No vendor patch is available.
What this means
What could happen
An attacker could trigger fault conditions in these legacy PLCs, potentially causing process instability, unintended state changes in control logic, or equipment shutdown. This could disrupt production lines or critical manufacturing processes.
Who's at risk
Manufacturing plants using Rockwell Automation legacy controllers—specifically MicroLogix (1100, 1200, 1400, 1500 series), SLC 500, or PLC-5 platforms—should be concerned. These are common in discrete manufacturing, assembly lines, and process control. Any facility still running these controllers for critical processes is at risk.
How it could be exploited
An attacker with network access to the controller or the engineering/programming interface could send crafted fault trigger commands or input values that exploit the fault generation logic. This could occur via direct network access to the controller's communication port (e.g., Ethernet, serial) or through compromised engineering workstations that communicate with the PLC.
Prerequisites
- Network access to the affected PLC via Ethernet or serial port
- Knowledge of the controller's fault handling implementation or ability to craft malicious inputs
- For some attack paths: access to or compromise of engineering workstations or programming software used to communicate with the PLC
no patch availableaffects legacy manufacturing controllerslow EPSS score but legacy systems may have limited monitoring
Exploitability
Moderate exploit probability (EPSS 1.8%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
MicroLogix 1100 controller: vers:all/*All versionsNo fix (EOL)
MicroLogix 1200 controller: vers:all/*All versionsNo fix (EOL)
MicroLogix 1500 controller: vers:all/*All versionsNo fix (EOL)
SLC 500 controller platform: vers:all/*All versionsNo fix (EOL)
PLC-5 controller platform PLC-5 Control System: vers:all/*All versionsNo fix (EOL)
MicroLogix 1400 controller: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict and monitor access to PLC programming ports and engineering software; limit which workstations can communicate with each controller
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGIsolate affected PLCs from untrusted network segments; implement network segmentation between engineering workstations and production controllers
HARDENINGImplement firewall rules to block unexpected traffic to the controllers' communication ports (e.g., deny inbound connections except from known engineering/HMI networks)
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: MicroLogix 1100 controller: vers:all/*, MicroLogix 1200 controller: vers:all/*, MicroLogix 1500 controller: vers:all/*, SLC 500 controller platform: vers:all/*, PLC-5 controller platform PLC-5 Control System: vers:all/*, MicroLogix 1400 controller: vers:all/*. Apply the following compensating controls:
HARDENINGConsider migration planning for affected legacy controllers to modern Rockwell CompactLogix or ControlLogix platforms that receive security updates
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9d959683-5f03-49e4-a78b-64ba3acf18a8