Detections
Analytics
Rockwell Automation/Allen-Bradley Multiple Devices Authentication Bypass (ICSA-18-310-02)
high Nessus Network Monitor Plugin ID 720141
Synopsis
Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules allow an unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device.Description
Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules allow an unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.Solution
Perform vendor recommended mitigations and apply available vendor upgrades.See Also
http://www.securityfocus.com/bid/106132,https://ics-cert.us-cert.gov/advisories/ICSA-18-310-02
Plugin Details
Severity: High
ID: 720141
Family: SCADA
Published: 5/8/2019
Updated: 9/30/2019
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS v3
Risk Factor: High
Base Score: 8.6
Temporal Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Patch Publication Date: 12/6/2018
Vulnerability Publication Date: 12/6/2018
Reference Information
CVE: CVE-2018-17924
BID: 106132