OTPulse
FeedAboutContact

Rockwell Automation MicroLogix

Monitor6.5ICS-CERT ICSA-22-188-01Jul 7, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in the MicroLogix 1100 and 1400 web server could allow an attacker to perform a phishing or website spoofing attack to harvest user credentials. If successful, an attacker with valid credentials could authenticate to the MicroLogix device and access sensitive information or potentially modify control settings. Rockwell Automation has not issued a patch; the vulnerability must be mitigated through operational controls.

What this means
What could happen
An attacker could trick a legitimate user into visiting a malicious website that harvests authentication credentials for the MicroLogix device. Compromised credentials could allow the attacker to access and modify control logic or configuration settings.
Who's at risk
This affects operators and engineers at utilities and manufacturing facilities using MicroLogix 1100 or 1400 controllers for process monitoring and control. Affected users manage these devices through web-based interfaces, primarily engineering workstation staff and on-call technicians who access the device remotely or locally for diagnostics and configuration.
How it could be exploited
The attacker crafts a phishing email or message with a link to a malicious website that mimics the MicroLogix web interface. When a user visits the site, their browser may send stored credentials or the attacker can perform a credential harvesting attack. The attacker then uses those credentials to authenticate to the actual MicroLogix web server and access the device.
Prerequisites
  • User must click a malicious link or visit an untrusted website
  • User must have valid credentials for the MicroLogix device
  • MicroLogix web server must be enabled and reachable from the user's network
Low attack complexityUser interaction required (phishing)No patch available (end-of-life products)Affects authentication credentials for control devices
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
MicroLogix 1100: All versionsAll versionsNo fix (EOL)
MicroLogix 1400:≤ 21.007No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable the MicroLogix web server if it is not required for your operations
HARDENINGConfigure firewall rules to block HTTP traffic (port 80) to MicroLogix devices from the engineering workstation network
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement HTTPS/TLS for any web-based management interfaces if the web server must remain enabled
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: MicroLogix 1100: All versions, MicroLogix 1400:. Apply the following compensating controls:
HARDENINGTrain users to recognize phishing emails and verify website URLs before entering credentials
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ef183212-6246-4a2a-95dd-dcfb865d8fc4
Rockwell Automation MicroLogix | CVSS 6.5 - OTPulse