Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules

Plan Patch8.6ICS-CERT ICSA-18-310-02Nov 6, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated attacker can send EtherNet/IP protocol messages to MicroLogix 1400 controllers and 1756 ControlLogix communications modules to modify system settings and cause loss of communication between the device and the control system. The vulnerability affects all versions of most 1756-EN series communication modules (1756-ENBT, 1756-EN2F Series A and B, 1756-EN2T Series A and B, 1756-EN2TR Series A and B, 1756-EN3TR Series A, and 1756-EWEB all series) and all versions of MicroLogix 1400 Series A. MicroLogix 1400 Series B and C are vulnerable in firmware version 21.003 and earlier. Some 1756-EN modules have firmware patches available (FRN 11.001 and later for 1756-EN2F Series C, 1756-EN2T Series D, 1756-EN2TR Series C, and 1756-EN3TR Series B; FRN 21.004 and later for MicroLogix 1400 Series B and C), but many devices including Series A controllers have no direct mitigation available from the vendor.

What this means

What could happen

An unauthenticated attacker on your network could modify control system settings and disrupt communication between your PLC or communications module and the control system, causing loss of visibility and control over the physical process.

Who's at risk

Water utilities and power plants using Rockwell Automation MicroLogix 1400 programmable controllers and 1756 ControlLogix EtherNet/IP communications modules are affected. These devices are commonly used to control pumps, motors, switches, and other critical plant equipment. Any facility relying on Rockwell ControlLogix systems for process automation should assess their exposure.

How it could be exploited

An attacker with network access to port 2222 or 44818 (EtherNet/IP) can send unauthenticated commands to modify system settings or stop communication without needing valid credentials or special configuration knowledge.

Prerequisites

Network access to port 2222/TCP or UDP or port 44818/TCP or UDP
Device must be reachable from the attacker's network segment
No authentication or special privileges required

remotely exploitableno authentication requiredlow complexityno patch available for most affected deviceshigh CVSS score (8.6)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (18)

5 with fix13 EOL

ProductAffected VersionsFix Status

MicroLogix 1400 Controllers Series A: all versionsAll versionsNo fix (EOL)

MicroLogix 1400 Controllers Series B: v21.003 and earlier≤ 21.00321.004 or later

MicroLogix 1400 Controllers Series C: v21.003 and earlier≤ 21.00321.004 or later

1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2F Series B: all versionsAll versionsNo fix (EOL)

1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2T Series B: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDBlock all EtherNet/IP traffic (ports 2222 and 44818 TCP/UDP) from outside the operational/control network using firewalls or network access control lists

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor MicroLogix 1400 Series B or C: Apply firmware FRN 21.004 or later, then use the LCD Display to put the controller in RUN mode to prevent configuration changes

HOTFIXFor 1756-EN2F Series C, 1756-EN2T Series D, 1756-EN2TR Series C, 1756-EN3TR Series B: Apply firmware FRN 11.001 or later, then enable Explicit Protected Mode in the EtherNet/IP module configuration

HARDENINGReview product documentation for hardware security features such as key switch settings that can block unauthorized configuration changes

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MicroLogix 1400 Controllers Series A: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2F Series B: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2T Series B: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2T Series C: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2TR Series A: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2TR Series B: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN3TR Series A: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-ENBT: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2F Series A: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2T Series A: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EWEB Series A: all versions, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EN2F Series A: v10.10 and earlier, 1756 ControlLogix EtherNet/IP Communications Modules 1756-EWEB Series B: all versions. Apply the following compensating controls:

HARDENINGIsolate all control system devices and networks from the business network and the Internet using network segmentation and firewalls

CVEs (1)

CVE-2018-17924

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ab92152-e042-4d7c-a034-526b72393c29