This updated advisory is a follow-up to the updated advisory titled ICSA-12-342-01A Rockwell Allen-Bradley MicroLogix, SLC 500, and PLC-5 controller that was published December 11, 2012, on the NCCIC/ICS-CERT web site.
Independent researcher Matthew Luallen of CYBATI has identified a fault generation vulnerability that can cause a denial of service (DoS) in the Rockwell Automation Allen-Bradley MicroLogix, SLC 500, and PLC-5 controller. Rockwell has released a notificationa that includes mitigation strategies for this vulnerability.
Rockwell has released new firmware for the MicroLogix product line that resolves this vulnerability.
This vulnerability could be exploited remotely.
Rockwell Automation reports that the vulnerabilities affect the following versions of Allen‑Bradley devices:
This vulnerability affects the availability of the device and connected devices.
A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS‑CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.
The affected products, MicroLogix, SLC500, and PLC5 are programmable logic controllers (PLC). According to Rockwell Automation, these products are deployed across several sectors including agriculture and food, water, chemical, manufacturing and others. According to Rockwell’s web site, these products are used in Germany, Czech Republic, France, Poland, Denmark, Hungary, Italy and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.
When certain configuration parameters are not enabled, the affected devices are susceptible to a remote attack. To exploit the vulnerability, the attacker sends specially crafted messages that change specific bits in status files. This creates a device fault, which in turn causes a DoS.
Attackers sending malicious packets to Port 2222 TCP/UDP and Port 44818 TCP/UDP will cause the device fault. An attack will be successful regardless of controller’s mode switch setting. Physical interaction is required to recover the device.
CVE-2012-4690d has been assigned to this vulnerability. A CVSS v2 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:C).e
This vulnerability could be exploited remotely.
No known public exploits specifically target this vulnerability.
An attacker with a low skill would be able to exploit this vulnerability.
On August 2, 2013, Rockwell Automation updated their product security advisory that addresses this topic. This product security advisory, titled “511407 - MicroLogix, SLC 500 and PLC5 Controller Vulnerability,” can be found at the following location:
There are now firmware releases available for MicroLogix 1100 controller, MicroLogix 1200 controller, MicroLogix 1400 controller, and MicroLogix 1500 controller.
Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should be employed simultaneously.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://www.us-cert.gov/ics
or incident reporting: https://www.us-cert.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Was this document helpful? Yes | Somewhat | No