Rockwell Automation Allen-Bradley Micrologix 1100

Monitor7.5ICS-CERT ICSA-21-047-02Feb 16, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Allen-Bradley MicroLogix 1100 PLC (revision 1.0) contains a vulnerability (CWE-130) in its handling of input data over the Modbus TCP protocol (port 502). Successful exploitation requires only network access and no authentication, and results in a denial-of-service condition where the PLC becomes unresponsive. No firmware fix is available for this product.

What this means

What could happen

An attacker could trigger a denial-of-service condition on the MicroLogix 1100 PLC, causing it to stop responding and potentially halting the processes it controls until the device is manually restarted.

Who's at risk

Water and electric utilities operating Allen-Bradley MicroLogix 1100 programmable logic controllers in water treatment, wastewater, distribution, or power delivery systems should assess their exposure. These devices are commonly used in pump stations, treatment facilities, and substation controls where availability is critical.

How it could be exploited

An attacker with network access to port 502 (Modbus TCP, the default protocol for MicroLogix 1100) could send a specially crafted message that triggers a flaw in the device's handling of certain input data, causing the PLC to become unresponsive.

Prerequisites

Network access to the MicroLogix 1100 on port 502 (Modbus TCP)
No authentication required
Device must be running firmware revision 1.0

remotely exploitableno authentication requiredlow complexitydenial-of-service impactno patch available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Allen-Bradley MicroLogix 1100: revision number 1.01.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict access to the MicroLogix 1100. Only allow trusted engineering workstations and SCADA servers to communicate with the device on port 502.

WORKAROUNDDeploy a firewall rule or switch ACL to block unsolicited inbound traffic to port 502 on the MicroLogix 1100, limiting access to known, trusted IP addresses only.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to the MicroLogix 1100 for anomalous Modbus TCP connections or malformed messages, and alert on suspicious activity.

Mitigations - no patch available

0/1

Allen-Bradley MicroLogix 1100: revision number 1.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGReview and implement CISA's Defense-in-Depth Strategies for Industrial Control Systems to improve overall security posture.

CVEs (1)

CVE-2020-6111

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4aa54335-0b44-4f17-b9c5-3a488b8bdaa9