10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.029 Low
EPSS
Percentile
90.8%
The installed firmware on the remote Allen-Bradley MicroLogix 1400 controller is affected by multiple vulnerabilities :
A flaw exists when handling messages that modify specific bits in status files. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-4690)
A flaw exists in the Ethernet/IP protocol implementation when handling a CIP message that specifies a logic-execution ‘stop’ command. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition.
(CVE-2012-6435)
A buffer overflow condition exists due to improper validation of user-supplied input when parsing CIP packets. An unauthenticated, remote attacker can exploit this, via a malformed packet, to cause a denial of service condition. (CVE-2012-6436, CVE-2012-6438)
A flaw exists due to a failure to properly authenticate Ethernet firmware updates. An unauthenticated, remote attacker can exploit this, via a trojan horse update image, to execute arbitrary code. (CVE-2012-6437)
A flaw exists when handling CIP messages that modify network and configuration parameters. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-6439)
A flaw exists due to a failure to properly restrict session replaying. A man-in-the-middle attacker can exploit this, via HTTP traffic, to conduct a replay attack. (CVE-2012-6440)
An information disclosure vulnerability exists in the Ethernet/IP protocol implementation when handling the ‘dump’ command. An unauthenticated, remote attacker can exploit this, via a specially crafted CIP packet, to disclose the boot code of the device. (CVE-2012-6441)
A flaw exists in the Ethernet/IP protocol implementation when handling a CIP message that specifies a ‘reset’ command. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a denial of service condition. (CVE-2012-6442)
Note that Nessus has not tested for these issues but has instead relied only on the firmware’s self-reported version number.
Binary data scada_AB_micrologix_1400.nbin
Vendor | Product | Version | CPE |
---|---|---|---|
rockwellautomation | ab_micrologix_controller | 1400 | cpe:/h:rockwellautomation:ab_micrologix_controller:1400 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4690
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6435
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6437
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6438
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6439
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6440
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6441
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6442
ics-cert.us-cert.gov/advisories/ICSA-12-342-01B
ics-cert.us-cert.gov/advisories/ICSA-13-011-03
ics-cert.us-cert.gov/alerts/ICS-ALERT-12-020-02A
idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F470154
idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F470155
idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F470156
idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3D%2Fapp%2Fanswers%2Fdetail%2Fa_id%2F54102