Rockwell Automation MicroLogix 1100 and 1400

MonitorCVSS 7.5ICS-CERT ICSA-22-354-04Dec 20, 2022

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MicroLogix 1100 and 1400 programmable logic controllers contain vulnerabilities in the web server component (CWE-79, CWE-1021) that could enable remote denial-of-service attacks or remote code execution. The vulnerabilities exist across all MicroLogix 1100 versions and affect MicroLogix 1400 models up to version 21.007. The web server is an optional feature and is exposed to attackers with network access to port 802 (HTTP). Rockwell Automation has not released a firmware patch and recommends disabling the web server or upgrading to MicroLogix 800/850 series as mitigations.

What this means

What could happen

A remote attacker could cause a denial-of-service condition by stopping the PLC, disrupting water treatment, power distribution, or pump operations. Remote code execution is also possible, allowing an attacker to modify process logic or control parameters.

Who's at risk

Water authorities and municipal utilities operating MicroLogix 1100 or 1400 controllers for SCADA systems, pump control, treatment process automation, or power distribution should take immediate action. Any facility using these PLCs for critical process control is affected.

How it could be exploited

An attacker with network access to the device's HTTP port (802) can send a malicious request to the web server component to trigger a DoS or execute code. The attack requires no authentication and can be performed remotely.

Prerequisites

Network access to TCP port 802 (HTTP) on the MicroLogix device
Web server component must be enabled (default state)
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety-related systemsdenial-of-service impact

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

MicroLogix 1100 and 1400: MicroLogix 1100: all versionsAll versionsNo fix (EOL)

MicroLogix 1100 and 1400: MicroLogix 1400 A:≤ 7.000No fix (EOL)

MicroLogix 1100 and 1400: MicroLogix 1400 B/C:≤ 21.007No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the web server component on MicroLogix 1100 and 1400 devices (optional feature, no operational impact)

HARDENINGConfigure firewall rules to block inbound traffic on TCP port 802 from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan to upgrade to MicroLogix 800 or 850 series as a long-term solution (these devices do not have the vulnerable web server component)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MicroLogix 1100 and 1400: MicroLogix 1100: all versions, MicroLogix 1100 and 1400: MicroLogix 1400 A:, MicroLogix 1100 and 1400: MicroLogix 1400 B/C:. Apply the following compensating controls:

HARDENINGIsolate MicroLogix devices from the business network and place them behind firewalls

CVEs (2)

CVE-2022-46670 CVE-2022-3166

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dca21722-d12e-4110-8349-359b3255985b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.