Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 Reusing a Nonce, Key Pair in Encryption (CVE-2017-7902)

critical Tenable OT Security Plugin ID 500283

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A Reusing a Nonce, Key Pair in Encryption issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. The affected product reuses nonces, which may allow an attacker to capture and replay a valid request until the nonce is changed.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation has released a new firmware version for the Allen-Bradley MicroLogix 1400 Series B controllers, FRN 21.00, to address the identified vulnerabilities. Rockwell Automation encourages users to apply the latest firmware versions that address the identified vulnerabilities.

Rockwell Automation’s new firmware version for the Allen-Bradley MicroLogix 1400 Series B controllers, FRN 21.00, is available at the following location:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=1766-Lxx&crumb=112

There are no firmware versions to address these vulnerabilities in the Allen-Bradley MicroLogix 1100 or MicroLogix 1400 Series A controllers, but Rockwell Automation has offered some compensating controls. Rockwell Automation reports that users can disable the web server on the Allen-Bradley MicroLogix 1100 and 1400 Series A controllers to protect against the exploitation of the improper restriction of excessive authentication attempts and weak password requirements vulnerabilities.

Rockwell Automation recommends that if it is not needed, users should consider disabling the web server to further mitigate these threats.

- Disable the web server on the MicroLogix 1100 and 1400 controllers, if not needed, as it is enabled by default. See Knowledge Base article: 732398 for detailed instructions on disabling the web server. The Web Server Tech Note, KB:
732398 – How to Disable the Web Server in MicroLogix 1100 and 1400 is available at the following URL with a valid account:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/732398

- Set the mode to RUN via LCD soft keyswitch to prohibit any re-enabling of the web server while the keyswitch is in this mode.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04

http://www.securitytracker.com/id/1038546

http://www.nessus.org/u?51d5739f

Plugin Details

Severity: Critical

ID: 500283

Version: 1.9

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2017-7902

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:rockwellautomation:1766-l32bxba_series_a, cpe:/a:rockwellautomation:1766-l32bwaa_series_a, cpe:/a:rockwellautomation:1763-l16dwd_series_a, cpe:/a:rockwellautomation:1766-l32bxba_series_b, cpe:/a:rockwellautomation:1766-l32bwa_series_b, cpe:/a:rockwellautomation:1766-l32awaa_series_b, cpe:/a:rockwellautomation:1766-l32awa_series_b, cpe:/a:rockwellautomation:1763-l16dwd_series_b, cpe:/a:rockwellautomation:1766-l32bxb_series_a, cpe:/a:rockwellautomation:1766-l32bwaa_series_b, cpe:/a:rockwellautomation:1766-l32bwa_series_a, cpe:/a:rockwellautomation:1763-l16bwa_series_a, cpe:/a:rockwellautomation:1763-l16awa_series_b, cpe:/a:rockwellautomation:1763-l16bbb_series_a, cpe:/a:rockwellautomation:1766-l32awaa_series_a, cpe:/a:rockwellautomation:1763-l16awa_series_a, cpe:/a:rockwellautomation:1763-l16bbb_series_b, cpe:/a:rockwellautomation:1766-l32bxb_series_b, cpe:/a:rockwellautomation:1763-l16bwa_series_b, cpe:/a:rockwellautomation:1766-l32awa_series_a

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 6/30/2017

Vulnerability Publication Date: 6/30/2017

Reference Information

CVE: CVE-2017-7902

CWE: 330

ICSA: 17-115-04