Rockwell Automation MicroLogix Controllers and RSLogix 500 Software

Act Now9.8ICS-CERT ICSA-20-070-06Mar 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MicroLogix 1100 and 1400 Series A controllers, along with RSLogix 500 software v12.001 and prior, contain cryptographic weaknesses (CWE-321, CWE-327, CWE-603, CWE-312) that allow unauthenticated access to sensitive project file information including passwords. An attacker with network access could read project files and extract credentials without authentication.

What this means

What could happen

An attacker could extract sensitive project file information including passwords from MicroLogix controllers and RSLogix 500 software, potentially exposing credentials needed to modify control logic or access other plant systems.

Who's at risk

Water authorities and utilities using Rockwell Automation MicroLogix controllers (especially 1100 and 1400 Series A models) and RSLogix 500 engineering software for PLC configuration and control. Affected operators should prioritize devices that store critical process passwords or operate safety-critical functions.

How it could be exploited

An attacker with network access to a MicroLogix controller or RSLogix 500 workstation could read unencrypted or weakly encrypted project files stored on the device or engineering PC. This allows password extraction without needing valid credentials or authentication mechanisms.

Prerequisites

Network access to the MicroLogix controller or RSLogix 500 engineering workstation
Ability to read project files from the device memory or workstation disk

Remotely exploitableNo authentication requiredLow complexityNo patch available for Series A controllers or MicroLogix 1100Affects sensitive credential storageWeak encryption of project files

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (4)

1 with fix2 pending1 EOL

ProductAffected VersionsFix Status

RSLogix 500 Software: v12.001 and prior≤ 12.001v11 or later

MicroLogix 1100 Controller: all versionsAll versionsNo fix (EOL)

Series B: v21.001 and prior≤ 21.001No fix yet

Series A: all versionsAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to MicroLogix controllers and RSLogix 500 workstations from untrusted networks; ensure devices are not reachable from the Internet or business network

HARDENINGPlace control system networks behind firewalls with strict inbound/outbound rules limiting access to authorized engineering and operations personnel only

HARDENINGIf remote access to RSLogix 500 or MicroLogix devices is required, use a dedicated VPN with current security patches and multi-factor authentication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor MicroLogix 1400 Series B: Update to firmware FRN 21.002 or later and enable the enhanced password security feature

HOTFIXFor RSLogix 500: Update to v11 or later and ensure MicroLogix 1400 Series B devices are running FRN 21.001 or later

CVEs (4)

CVE-2020-6990 CVE-2020-6984 CVE-2020-6988 CVE-2020-6980

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f406dc35-5550-410b-8761-ae75735cadf5