Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability
Act Now9.8ICS-CERT ICSA-16-026-02Oct 29, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability exists in Rockwell Automation MicroLogix 1100 PLC controllers (all 1763-L16 variants, Series A and B, firmware version 15.000 and earlier). An unauthenticated attacker on the network can send a specially crafted packet to trigger the overflow, potentially allowing arbitrary code execution on the controller. The vulnerability affects the firmware's packet handling in the EtherNet/IP network service. Rockwell Automation has not released a firmware update to address this issue; the affected product line is legacy and no patch is planned.
What this means
What could happen
An attacker with network access to a MicroLogix 1100 PLC could trigger a buffer overflow, potentially allowing them to execute arbitrary code on the controller and disrupt manufacturing processes, alter logic, or cause equipment damage.
Who's at risk
Manufacturing facilities and municipal utilities relying on Rockwell Automation MicroLogix 1100 PLCs for process control (all variants of the 1763-L16 series, both Series A and B). This includes water treatment plants, electric utilities, and discrete manufacturing operations using these legacy controllers for logic, sequencing, and equipment control.
How it could be exploited
An attacker on the network sends a specially crafted packet to the PLC's Ethernet port that overflows a memory buffer in the firmware. This could allow the attacker to inject and execute malicious code on the controller, bypassing normal application logic and gaining control of the device.
Prerequisites
- Network access to the PLC Ethernet port (port 502 or 1756 typically)
- No authentication required—the vulnerability is in the network service listening on the standard port
Remotely exploitableNo authentication requiredLow complexity attackNo patch available from vendorCritical CVSS score (9.8)Affects safety-critical industrial control devices
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
MicroLogix 1100 controller 1763-L16AWA Series B: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16BBB Series B: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16BWA Series B: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16DWD Series B: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16AWA Series A: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16BBB Series A: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16BWA Series A: <=15.000≤ 15.000No fix (EOL)
MicroLogix 1100 controller 1763-L16DWD Series A: <=15.000≤ 15.000No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGImplement network segmentation: place MicroLogix 1100 PLCs on an isolated industrial network with firewall rules that block inbound connections from non-essential networks and workstations
WORKAROUNDRestrict network access to the PLC: use firewalls or managed switches to limit which machines can reach port 502 and 1756 (EtherNet/IP ports) on each affected controller
HARDENINGDocument all MicroLogix 1100 controllers in your plant: create an inventory of affected devices, their network location, and criticality to enable targeted protective measures
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGDevelop an upgrade or replacement plan: since no firmware fix is available from Rockwell Automation, evaluate replacing or upgrading affected MicroLogix 1100 series controllers with current-generation hardware that receives security updates
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: MicroLogix 1100 controller 1763-L16AWA Series B: <=15.000, MicroLogix 1100 controller 1763-L16BBB Series B: <=15.000, MicroLogix 1100 controller 1763-L16BWA Series B: <=15.000, MicroLogix 1100 controller 1763-L16DWD Series B: <=15.000, MicroLogix 1100 controller 1763-L16AWA Series A: <=15.000, MicroLogix 1100 controller 1763-L16BBB Series A: <=15.000, MicroLogix 1100 controller 1763-L16BWA Series A: <=15.000, MicroLogix 1100 controller 1763-L16DWD Series A: <=15.000. Apply the following compensating controls:
HARDENINGMonitor network traffic: deploy network monitoring to detect unusual connection attempts to affected PLCs from unauthorized sources
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b284197e-485c-4948-96e0-f2a7bb9f3919