Rockwell Automation was made aware of a vulnerability by a security researcher from Georgia Institute of Technology that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500724);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");
script_cve_id("CVE-2022-46670");
script_name(english:"Rockwell Automation MicroLogix 1100 and 1400 Improper Neutralization of Input During Web Page Generation (CVE-2022-46670)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"Rockwell Automation was made aware of a vulnerability by a security
researcher from Georgia Institute of Technology that the MicroLogix
1100 and 1400 controllers contain a vulnerability that may give an
attacker the ability to accomplish remote code execution. The
vulnerability is an unauthenticated stored cross-site scripting
vulnerability in the embedded webserver. The payload is transferred to
the controller over SNMP and is rendered on the homepage of the
embedded website.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
# https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1137679
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?30440f54");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-354-04");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Rockwell Automation recommends users of the affected products to take the following actions:
- Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the
intended use of the device)
- Configure firewalls to disallow network communication through HTTP/Port 802
- Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component
Rockwell Automation also recommends users to employ cybersecurity best practices, as outlined in their Knowledgebase
article.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-46670");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(79);
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/16");
script_set_attribute(attribute:"patch_publication_date", value:"2022/12/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/05");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1100_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1400-a_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1400-b_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1400-c_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1400_firmware:-");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Rockwell");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Rockwell');
var asset = tenable_ot::assets::get(vendor:'Rockwell');
var vuln_cpes = {
"cpe:/o:rockwellautomation:micrologix_1400_firmware:-" :
{"family" : "MicroLogix1400"},
"cpe:/o:rockwellautomation:micrologix_1100_firmware:-" :
{"family" : "MicroLogix1100"},
"cpe:/o:rockwellautomation:micrologix_1400-b_firmware" :
{"versionEndIncluding" : "21.007", "family" : "MicroLogix1400"},
"cpe:/o:rockwellautomation:micrologix_1400-c_firmware" :
{"versionEndIncluding" : "21.007", "family" : "MicroLogix1400"},
"cpe:/o:rockwellautomation:micrologix_1400-a_firmware" :
{"versionEndIncluding" : "7.000", "family" : "MicroLogix1400"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
Vendor | Product | Version | CPE |
---|---|---|---|
rockwellautomation | micrologix_1100_firmware | - | cpe:/o:rockwellautomation:micrologix_1100_firmware:- |
rockwellautomation | micrologix_1400-a_firmware | cpe:/o:rockwellautomation:micrologix_1400-a_firmware | |
rockwellautomation | micrologix_1400-b_firmware | cpe:/o:rockwellautomation:micrologix_1400-b_firmware | |
rockwellautomation | micrologix_1400-c_firmware | cpe:/o:rockwellautomation:micrologix_1400-c_firmware | |
rockwellautomation | micrologix_1400_firmware | - | cpe:/o:rockwellautomation:micrologix_1400_firmware:- |