OTPulse
FeedAboutContact

Rockwell Automation MicroLogix 1100 Controllers

Monitor7.5ICS-CERT ICSA-17-138-03May 18, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

MicroLogix 1100 controllers contain an input validation flaw that allows an attacker to send specially crafted packets to the device, causing it to become unresponsive and stop processing. This denial of service condition affects all 1763-L16 series variants and requires no authentication. Rockwell Automation recommends updating to firmware version FRN 16.0 or later to resolve the issue.

What this means
What could happen
An attacker with network access to a MicroLogix 1100 controller can send malformed input that triggers a denial of service condition, causing the PLC to stop responding and halting the industrial processes it controls.
Who's at risk
Water treatment plants, wastewater systems, and municipal electric utilities that use MicroLogix 1100 controllers for process automation, pump control, or sensor monitoring. The vulnerability affects all four variants of the 1763-L16 series controllers commonly found in small to mid-size automation applications.
How it could be exploited
An attacker can send specially crafted network packets to port 502 (Ethernet/IP) or 44818 (native protocol) on the MicroLogix 1100. The controller fails to properly validate the input, causing the processor to become unresponsive. No authentication is required.
Prerequisites
  • Network access to the MicroLogix 1100 controller on port 502 or 44818
  • No authentication required
  • Controller must be reachable from attacker's network
remotely exploitableno authentication requiredlow complexityaffects availability/operationsno patch available for older firmware revisions
Exploitability
Moderate exploit probability (EPSS 10.0%)
Affected products (4)
4 pending
ProductAffected VersionsFix Status
MicroLogix 1100 controllers: 1763-L16DWD1763-L16DWDNo fix yet
MicroLogix 1100 controllers: 1763-L16BWA1763-L16BWANo fix yet
MicroLogix 1100 controllers: 1763-L16AWA1763-L16AWANo fix yet
MicroLogix 1100 controllers: 1763-L16BBB1763-L16BBBNo fix yet
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to MicroLogix 1100 controllers using firewall rules; only allow connections from authorized engineering workstations and SCADA/HMI systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all MicroLogix 1100 controllers to firmware version FRN 16.0 or later
Long-term hardening
0/2
HARDENINGSegment MicroLogix 1100 controllers onto a dedicated industrial control network isolated from corporate IT networks
HARDENINGMonitor network traffic to the MicroLogix 1100 controllers for suspicious connection attempts and malformed packets
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f814f128-e881-45fe-880e-9d0aff4e6aaf
Rockwell Automation MicroLogix 1100 Controllers | CVSS 7.5 - OTPulse