OTPulse
FeedAboutContact

Rockwell Automation MicroLogix 1100 and 1400

Monitor7.5ICS-CERT ICSA-22-354-04Dec 20, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The MicroLogix 1100 and 1400 programmable logic controllers contain vulnerabilities in the web server component (CWE-79, CWE-1021) that could enable remote denial-of-service attacks or remote code execution. The vulnerabilities exist across all MicroLogix 1100 versions and affect MicroLogix 1400 models up to version 21.007. The web server is an optional feature and is exposed to attackers with network access to port 802 (HTTP). Rockwell Automation has not released a firmware patch and recommends disabling the web server or upgrading to MicroLogix 800/850 series as mitigations.

What this means
What could happen
A remote attacker could cause a denial-of-service condition by stopping the PLC, disrupting water treatment, power distribution, or pump operations. Remote code execution is also possible, allowing an attacker to modify process logic or control parameters.
Who's at risk
Water authorities and municipal utilities operating MicroLogix 1100 or 1400 controllers for SCADA systems, pump control, treatment process automation, or power distribution should take immediate action. Any facility using these PLCs for critical process control is affected.
How it could be exploited
An attacker with network access to the device's HTTP port (802) can send a malicious request to the web server component to trigger a DoS or execute code. The attack requires no authentication and can be performed remotely.
Prerequisites
  • Network access to TCP port 802 (HTTP) on the MicroLogix device
  • Web server component must be enabled (default state)
  • No authentication required
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety-related systemsdenial-of-service impact
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
MicroLogix 1100 and 1400: MicroLogix 1100: all versionsAll versionsNo fix (EOL)
MicroLogix 1100 and 1400: MicroLogix 1400 A:≤ 7.000No fix (EOL)
MicroLogix 1100 and 1400: MicroLogix 1400 B/C:≤ 21.007No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable the web server component on MicroLogix 1100 and 1400 devices (optional feature, no operational impact)
HARDENINGConfigure firewall rules to block inbound traffic on TCP port 802 from untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan to upgrade to MicroLogix 800 or 850 series as a long-term solution (these devices do not have the vulnerable web server component)
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: MicroLogix 1100 and 1400: MicroLogix 1100: all versions, MicroLogix 1100 and 1400: MicroLogix 1400 A:, MicroLogix 1100 and 1400: MicroLogix 1400 B/C:. Apply the following compensating controls:
HARDENINGIsolate MicroLogix devices from the business network and place them behind firewalls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/dca21722-d12e-4110-8349-359b3255985b
Rockwell Automation MicroLogix 1100 and 1400 | CVSS 7.5 - OTPulse