Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability

Plan PatchCVSS 9.8ICS-CERT ICSA-16-026-02Oct 29, 2016

Rockwell AutomationManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability exists in Rockwell Automation MicroLogix 1100 PLC controllers (all 1763-L16 variants, Series A and B, firmware version 15.000 and earlier). An unauthenticated attacker on the network can send a specially crafted packet to trigger the overflow, potentially allowing arbitrary code execution on the controller. The vulnerability affects the firmware's packet handling in the EtherNet/IP network service. Rockwell Automation has not released a firmware update to address this issue; the affected product line is legacy and no patch is planned.

What this means

What could happen

An attacker with network access to a MicroLogix 1100 PLC could trigger a buffer overflow, potentially allowing them to execute arbitrary code on the controller and disrupt manufacturing processes, alter logic, or cause equipment damage.

Who's at risk

Manufacturing facilities and municipal utilities relying on Rockwell Automation MicroLogix 1100 PLCs for process control (all variants of the 1763-L16 series, both Series A and B). This includes water treatment plants, electric utilities, and discrete manufacturing operations using these legacy controllers for logic, sequencing, and equipment control.

How it could be exploited

An attacker on the network sends a specially crafted packet to the PLC's Ethernet port that overflows a memory buffer in the firmware. This could allow the attacker to inject and execute malicious code on the controller, bypassing normal application logic and gaining control of the device.

Prerequisites

Network access to the PLC Ethernet port (port 502 or 1756 typically)
No authentication required—the vulnerability is in the network service listening on the standard port

Remotely exploitableNo authentication requiredLow complexity attackNo patch available from vendorCritical CVSS score (9.8)Affects safety-critical industrial control devices

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

MicroLogix 1100 controller 1763-L16AWA Series B: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16BBB Series B: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16BWA Series B: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16DWD Series B: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16AWA Series A: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16BBB Series A: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16BWA Series A: <=15.000≤ 15.000No fix (EOL)

MicroLogix 1100 controller 1763-L16DWD Series A: <=15.000≤ 15.000No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation: place MicroLogix 1100 PLCs on an isolated industrial network with firewall rules that block inbound connections from non-essential networks and workstations

WORKAROUNDRestrict network access to the PLC: use firewalls or managed switches to limit which machines can reach port 502 and 1756 (EtherNet/IP ports) on each affected controller

HARDENINGDocument all MicroLogix 1100 controllers in your plant: create an inventory of affected devices, their network location, and criticality to enable targeted protective measures

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDevelop an upgrade or replacement plan: since no firmware fix is available from Rockwell Automation, evaluate replacing or upgrading affected MicroLogix 1100 series controllers with current-generation hardware that receives security updates

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MicroLogix 1100 controller 1763-L16AWA Series B: <=15.000, MicroLogix 1100 controller 1763-L16BBB Series B: <=15.000, MicroLogix 1100 controller 1763-L16BWA Series B: <=15.000, MicroLogix 1100 controller 1763-L16DWD Series B: <=15.000, MicroLogix 1100 controller 1763-L16AWA Series A: <=15.000, MicroLogix 1100 controller 1763-L16BBB Series A: <=15.000, MicroLogix 1100 controller 1763-L16BWA Series A: <=15.000, MicroLogix 1100 controller 1763-L16DWD Series A: <=15.000. Apply the following compensating controls:

HARDENINGMonitor network traffic: deploy network monitoring to detect unusual connection attempts to affected PLCs from unauthorized sources

CVEs (1)

CVE-2016-0868

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b284197e-485c-4948-96e0-f2a7bb9f3919

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.