Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability (Update A)
Monitor6.1ICS-CERT ICSA-16-061-02Dec 3, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Reflective cross-site scripting (XSS) vulnerability in Rockwell Automation Allen-Bradley CompactLogix controllers and EtherNet/IP modules. The vulnerability exists in the web interface and can be exploited when a user clicks a malicious link containing crafted script code. The flaw affects multiple CompactLogix models (1769-L series) running firmware version 27.011 or earlier, and EtherNet/IP adapter modules (1756-EN2F, 1756-EN2T, 1756-EN2TR, 1756-EN3TR series) across multiple firmware versions. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the user's browser session, potentially leading to session hijacking, credential theft, or unauthorized configuration changes.
What this means
What could happen
An attacker could trick an operator into clicking a malicious link, executing JavaScript code in their browser session and potentially capturing credentials or modifying PLC settings. This could allow unauthorized changes to process logic, setpoints, or safety parameters without detection.
Who's at risk
Operators and engineers at water utilities, power generation, and discrete manufacturing facilities who use Rockwell Automation CompactLogix PLCs (1769-L series) or EtherNet/IP adapter modules (1756-EN2F, 1756-EN2T, 1756-EN2TR, 1756-EN3TR) for process control. Particularly relevant for facilities where engineering staff access the PLC web interface for configuration and monitoring. Any organization using these devices for critical process automation should assess exposure.
How it could be exploited
An attacker crafts a malicious URL containing JavaScript code and sends it via email or posts it on a website. When an authenticated operator or engineer clicks the link while logged into the PLC's web interface, the JavaScript executes in their browser context with their privileges. The attacker can then steal session tokens, harvest credentials entered by the user, or interact with the web interface to modify PLC configuration or logic.
Prerequisites
- User must be authenticated to the CompactLogix or EtherNet/IP device web interface
- User must click on an attacker-supplied link while logged in
- Web interface must be accessible (not blocked by firewall or network segmentation)
- User interaction required (social engineering or phishing email)
Remotely exploitable via web interfaceUser interaction required (reduces but does not eliminate risk)No patch available for most affected modelsAffects engineering workstations that interact with control devicesCould lead to unauthorized process control modificationsRequires social engineering (phishing) to be effective
Exploitability
Moderate exploit probability (EPSS 2.4%)
Affected products (23)
23 pending
ProductAffected VersionsFix Status
1769-L16ER-BB1B: <=27.011≤ 27.011No fix yet
1769-L18ER-BB1B: <=27.011≤ 27.011No fix yet
1769-L18ERM-BB1B: <=27.011≤ 27.011No fix yet
1769-L24ER-QB1B: <=27.011≤ 27.011No fix yet
1769-L24ER-QBFC1B: <=27.011≤ 27.011No fix yet
Remediation & Mitigation
0/8
Do now
0/2HARDENINGRestrict network access to PLC web interfaces using firewall rules; do not allow direct internet access to control devices
HARDENINGConduct security awareness training for operators and engineers on phishing and social engineering attacks, with emphasis on not clicking links from untrusted sources
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXApply firmware version 28.011 or later to CompactLogix controllers (1769-L16ER-BB1B, 1769-L18ER-BB1B, 1769-L18ERM-BB1B, 1769-L24ER-QB1B, 1769-L24ER-QBFC1B, 1769-L27ERM-QBFC1B, 1769-L30ER, 1769-L30ERM, 1769-L30ER-NSE, 1769-L33ER, 1769-L33ERM, 1769-L36ERM)
HOTFIXApply FRN 10.010 or later to 1756-EN2F Series C, 1756-EN2T Series D, 1756-EN2TR Series C, and 1756-EN3TR Series B modules
HOTFIXFor 1769-L23E-QB1B, migrate to 1769-L24ER-BB1B; for 1769-L23E-QBFC1B, migrate to 1769-L24ER-QBFC1B (end-of-life products with no patch)
HARDENINGEnsure all engineering workstations use current antivirus and antimalware software
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate control system devices from the business network and internet
HARDENINGIf remote access to PLC web interfaces is required, enforce access through a VPN and ensure VPN is kept current
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/076d6c31-5f0b-4bc1-9caf-dc292da64788