Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 Predictable Value Range From Previous Values (CVE-2017-7901)

high Tenable OT Security Plugin ID 500082

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation has released a new firmware version for the Allen-Bradley MicroLogix 1400 Series B controllers, FRN 21.00, to address the identified vulnerabilities. Rockwell Automation encourages users to apply the latest firmware versions that address the identified vulnerabilities.

Rockwell Automation’s new firmware version for the Allen-Bradley MicroLogix 1400 Series B controllers, FRN 21.00, is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=1766-Lxx&crumb=112

There are no firmware versions to address these vulnerabilities in the Allen-Bradley MicroLogix 1100 or MicroLogix 1400 Series A controllers, but Rockwell Automation has offered some compensating controls. Rockwell Automation reports that users can disable the web server on the Allen-Bradley MicroLogix 1100 and 1400 Series A controllers to protect against the exploitation of the improper restriction of excessive authentication attempts and weak password requirements vulnerabilities.

Rockwell Automation recommends that if it is not needed, users should consider disabling the web server to further mitigate these threats.

- Disable the web server on the MicroLogix 1100 and 1400 controllers, if not needed, as it is enabled by default. See Knowledge Base article: 732398 for detailed instructions on disabling the web server. The Web Server Tech Note, KB:
732398 – How to Disable the Web Server in MicroLogix 1100 and 1400 is available at the following URL with a valid account:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/732398

- Set the mode to RUN via LCD soft keyswitch to prohibit any re-enabling of the web server while the keyswitch is in this mode.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04

http://www.securitytracker.com/id/1038546

http://www.nessus.org/u?51d5739f

Plugin Details

Severity: High

ID: 500082

Version: 1.9

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2017-7901

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:rockwellautomation:1766-l32bxba_series_a, cpe:/a:rockwellautomation:1766-l32bwaa_series_a, cpe:/a:rockwellautomation:1763-l16dwd_series_a, cpe:/a:rockwellautomation:1766-l32bxba_series_b, cpe:/a:rockwellautomation:1766-l32bwa_series_b, cpe:/a:rockwellautomation:1766-l32awaa_series_b, cpe:/a:rockwellautomation:1766-l32awa_series_b, cpe:/a:rockwellautomation:1763-l16dwd_series_b, cpe:/a:rockwellautomation:1766-l32bxb_series_a, cpe:/a:rockwellautomation:1766-l32bwaa_series_b, cpe:/a:rockwellautomation:1766-l32bwa_series_a, cpe:/a:rockwellautomation:1763-l16bwa_series_a, cpe:/a:rockwellautomation:1763-l16awa_series_b, cpe:/a:rockwellautomation:1763-l16bbb_series_a, cpe:/a:rockwellautomation:1766-l32awaa_series_a, cpe:/a:rockwellautomation:1763-l16awa_series_a, cpe:/a:rockwellautomation:1763-l16bbb_series_b, cpe:/a:rockwellautomation:1766-l32bxb_series_b, cpe:/a:rockwellautomation:1763-l16bwa_series_b, cpe:/a:rockwellautomation:1766-l32awa_series_a

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 6/30/2017

Vulnerability Publication Date: 6/30/2017

Reference Information

CVE: CVE-2017-7901

CWE: 330

ICSA: 17-115-04