A Vulnerability in Rockwell Automation MicroLogix 1400 PLC Systems Could Allow for Unauthorized Remote Access

ITS Advisory Number: 
2016-135
Date(s) Issued: 
Friday, August 12, 2016
Subject: 
A Vulnerability in Rockwell Automation MicroLogix 1400 PLC Systems Could Allow for Unauthorized Remote Access
Overview: 

A vulnerability has been discovered in the Rockwell Automation MicroLogix 1400 Programmable Logic Controller (PLC) Systems that could allow for unauthorized remote access. These affected Industrial Control System (ICS) products are used across several sectors, including Chemical, Critical Manufacturing, Food and Agriculture, Water and Wastewater Systems and others. Successful exploitation of this vulnerability could allow an attacker to perform remote code execution on the affected device.

Systems Affected: 
  • 1766-L32BWA
  • 1766-L32AWA
  • 1766-L32BXB
  • 1766-L32BWAA
  • 1766-L32AWAA
  • 1766-L32BXBA
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability has been discovered in Rockwell Automation MicroLogix 1400 PLC that could allow for undocumented and privileged Simple Network Management Protocol (SNMP) access via a community string. This vulnerability can be exploited when SNMP is open on the network as it is by default to allow for firmware updates. (CVE-2016-5646)

Actions: 
  • Limit access to the device to authorized hosts. Where possible, locate the devices behind firewalls and if remote access is required, use secure methods such as virtual private networks (VPN).
  • Utilize the product's "RUN" keyswitch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
  • If appropriate, disable SNMP on the MicroLogix 1400.
    • Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
  • Review log files to determine if the identified vulnerability was exploited, and remediate per your security policy and procedures.  
  • Note: Changing the SNMP community strings is not an effective mitigation.