Rockwell Micrologix 1400 DNP3 DOS Vulnerability

Low RiskICS-CERT ICSA-14-254-02Jun 14, 2014

Summary

The Rockwell MicroLogix 1400 Series A and B controllers are vulnerable to a denial-of-service condition via malformed DNP3 protocol messages (CWE-20: Improper Input Validation). A remote attacker can send a specially crafted DNP3 packet to crash the controller, interrupting the execution of its control program until manual restart. No firmware patch is available from Rockwell for this issue.

What this means

What could happen

A malformed DNP3 message can crash the MicroLogix 1400 controller, stopping program execution and halting any process it controls until the device is manually restarted.

Who's at risk

Water utilities and municipal electric systems using Rockwell MicroLogix 1400 controllers with DNP3 communications for SCADA integration should be concerned. This affects older legacy controllers (Series A and B) commonly found in pump stations, remote terminal units (RTUs), and substation control logic.

How it could be exploited

An attacker with network access to the controller's DNP3 port (typically port 20000) can send a specially crafted DNP3 packet that triggers a denial-of-service condition, causing the device to crash and restart.

Prerequisites

Network access to the MicroLogix 1400 on its DNP3 communication port
Device must be configured to accept DNP3 messages

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical control logic

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

1766-Lxxxxx Series A: <=FRN_7≤ FRN 7No fix (EOL)

1766-Lxxxxx Series B: <=FRN_15.000≤ FRN 15.000No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGIsolate or restrict network access to the MicroLogix 1400 DNP3 port using a firewall or network segmentation; only allow DNP3 traffic from trusted, known SCADA/control network devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor the controller for unexpected restarts or communication failures that may indicate exploitation attempts

WORKAROUNDDevelop and test a manual restart procedure for this controller so you can quickly restore operations if a crash occurs

CVEs (1)

CVE-2014-5410

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/740becc4-5295-4cb0-90b5-aa2338735a7a