Rockwell Automation MicroLogix 1100 Controllers Improper Input Validation (CVE-2017-7924)

high Tenable OT Security Plugin ID 500278

Synopsis

The remote OT asset is affected by a vulnerability.

Description

An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation recommends updating to the latest firmware revision of MicroLogix 1100 controllers, Version FRN 16.0 or later, which is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=1763&crumb=112

For more information on this vulnerability and more detailed mitigation instructions, please see Rockwell Automation’s advisory at the following location:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1047342

As well as Rockwell Automation’s security page:

http://www.rockwellautomation.com/security/overview.page

ICS-CERT and Rockwell Automation recommend that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818/TCP and UDP using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Rockwell Automation’s Knowledgebase Article ID 898270 which is available at the following location:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/898270

- Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network. The Common Plant-wide Ethernet (CPwE) guide provides recommendations for deploying a plant-wide architecture: Industrial Firewalls within a CPwE Architecture
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-17-138-03

http://www.securityfocus.com/bid/99622

http://www.nessus.org/u?3800a05b

Plugin Details

Severity: High

ID: 500278

Version: 1.8

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2017-7924

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rockwellautomation:1763-l16dwd_firmware:-, cpe:/o:rockwellautomation:1763-l16bwa_firmware:-, cpe:/o:rockwellautomation:1763-l16bbb_firmware:-, cpe:/o:rockwellautomation:1763-l16awa_firmware:-

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 9/20/2017

Vulnerability Publication Date: 9/20/2017

Reference Information

CVE: CVE-2017-7924

CWE: 20

ICSA: 17-138-03