Rockwell Automation Allen-Bradley MicroLogix 1400 Controllers

Plan Patch8.6ICS-CERT ICSA-18-009-01Jan 9, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability in Allen-Bradley MicroLogix 1400 Controllers allows a remote attacker to send a specially crafted EtherNet/IP packet to crash or stop the controller. The vulnerability affects all MicroLogix 1400 models with firmware version 21.002 and earlier. Rockwell Automation has not released firmware updates for any of the affected controller models, indicating these devices have reached end-of-life and will not receive security patches.

What this means

What could happen

An attacker could remotely stop or crash a MicroLogix 1400 controller without authentication, interrupting any automated process it controls (conveyor systems, pump stations, production lines, etc.). This affects availability but not the integrity of stored data.

Who's at risk

Water authorities, electric utilities, food processing plants, and other manufacturers that rely on Allen-Bradley MicroLogix 1400 controllers for automated process control (pumping, treatment, power distribution, production sequencing). Any facility with networked MicroLogix 1400 controllers is at risk.

How it could be exploited

An attacker sends a crafted network packet to the controller on port 44818 (EtherNet/IP protocol) without needing to log in. The packet triggers a buffer overflow condition in the controller firmware, causing it to crash or enter a non-responsive state.

Prerequisites

Network connectivity to the controller on port 44818 (EtherNet/IP)
No authentication required
Controller must be networked and reachable from the attacker's network

remotely exploitableno authentication requiredlow complexityno patch availablecauses denial of service to critical automation

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (7)

6 pending1 EOL

ProductAffected VersionsFix Status

Allen-Bradley MicroLogix 1400 Controllers: 1766-L32AWAA1766-L32AWAANo fix yet

Allen-Bradley MicroLogix 1400 Controllers: 1766-L32AWA1766-L32AWANo fix yet

Allen-Bradley MicroLogix 1400 Controllers: 1766-L32BWAA1766-L32BWAANo fix yet

Allen-Bradley MicroLogix 1400 Controllers: 1766-L32BXBA1766-L32BXBANo fix yet

Allen-Bradley MicroLogix 1400 Controllers: 1766-L32BXB1766-L32BXBNo fix yet

Allen-Bradley MicroLogix 1400 Controllers: 1766-L32BWA1766-L32BWANo fix yet

MicroLogix 1400 Controllers Series B and C:≤ 21.002No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation: place the MicroLogix controller behind a firewall and isolate it from the business network and Internet

HARDENINGDisable or restrict EtherNet/IP access at the firewall to only trusted engineering workstations or authorized remote access systems

WORKAROUNDIf remote access to the controller is required, deploy a VPN and ensure the VPN software and all connected devices are kept current with security patches

Mitigations - no patch available

0/1

MicroLogix 1400 Controllers Series B and C: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor network traffic to the controller for anomalous patterns and alert on unexpected EtherNet/IP connections

CVEs (1)

CVE-2017-16740

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f1c2d09d-fb13-4a90-9f2e-fdaa360ab5dd