OTPulse
FeedAboutContact

Rockwell Automation MicroLogix 1100

Plan Patch8.6ICS-CERT ICSA-21-189-01Jul 8, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The MicroLogix 1100 controller contains a vulnerability in how it handles malformed EtherNet/IP packets. An attacker can send a specially crafted packet that causes the controller to enter a fault state, rendering it unresponsive. The vulnerability affects all versions of the MicroLogix 1100. Recovery requires manually downloading a new or backup project to the controller. Rockwell Automation has not released a firmware patch and instead recommends migrating to the Micro870 controller.

What this means
What could happen
An attacker can send specially crafted network packets to a MicroLogix 1100 controller, causing it to enter a fault state and stop responding to legitimate commands, disrupting production until the controller is manually recovered.
Who's at risk
Water and electric utilities operating Rockwell Automation MicroLogix 1100 controllers for pump control, filtration systems, or power distribution automation should assess exposure. Any facility with EtherNet/IP-connected MicroLogix 1100 controllers reachable from untrusted networks is at risk.
How it could be exploited
An attacker with network access to the controller's EtherNet/IP ports (TCP/UDP 2222 or 44818) can send a malformed packet that triggers a denial-of-service fault in the controller. No authentication is required, and the attack works from any network segment that can reach these ports.
Prerequisites
  • Network access to the MicroLogix 1100 controller on TCP/UDP ports 2222 or 44818
  • Controller must not have the mode switch set to RUN to prevent remote programming
remotely exploitableno authentication requiredlow complexityno patch availableaffects operational availability
Exploitability
Moderate exploit probability (EPSS 2.7%)
Affected products (1)
ProductAffected VersionsFix Status
MicroLogix 1100: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDSet the controller mode switch to RUN to prevent remote programming
HARDENINGUse firewalls to block all EtherNet/IP traffic (TCP/UDP ports 2222 and 44818) from outside your manufacturing network
WORKAROUNDMaintain and test a backup copy of the controller project offline to enable fast recovery if a fault occurs
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXMigrate to Micro870 controller to eliminate this vulnerability
Mitigations - no patch available
0/1
MicroLogix 1100: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment control system networks from business networks using firewalls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/08dd95fd-36f7-4ffb-9b5c-6d28db2a43cd
Rockwell Automation MicroLogix 1100 | CVSS 8.6 - OTPulse