Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

 C4 SCADA Security Advisory  Rockwell Automation (Allen Bradley) Multiple
       Vulnerabilities in Micrologix 1100 & 1400 Series Controllers
                              18 January 2010


        AusCERT Security Bulletin Summary

Product:           Micrologix 1100 Series Controllers
                   Micrologix 1400 Series Controllers
Publisher:         c4-security
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2009-3739  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----------------
Vendor product information, from www.ab.com :
With online editing and a built-in 10/100 Mbps EtherNet/IP port for
peer-to-peer messaging, the MicroLogix 1100 controller adds greater
connectivity and application coverage to the MicroLogix family of
Allen-Bradley controllers. This next generation controller's built-in LCD
screen displays controller status, I/O status, and simple operator messages;
enables bit and integer manipulation; offers digital trim pot functionality,
and a means to make operating mode changes (Prog / Remote / Run).
With 10 digital inputs, 2 analog inputs and 6 digital outputs, the
MicroLogix 1100 can handle a wide variety of tasks. The MicroLogix 1100
controllers also support expansion I/O. Up to four 1762 I/O modules (also
used on the MicroLogix 1200 and 1400) may be added to the embedded I/O,
providing application flexibility and support of up to 80 digital I/O.

- ----------------
Due to the sensitivity of SCADA-related vulnerabilities, we can only
publicly disclose that the Micrologix 1100 and 1400 controllers suffer from
multiple vulnerabilities that allow unauthorized control of the PLC.
Details of these vulnerabilities will be disclosed only to legitimate
parties such as asset owners (utilities), after receiving the approval of
the local CERT or any other local official entity.

- ----------
An attacker can exploit these vulnerabilities in order to:
.  	Halt the system's operation (Denial of Service)
.  	Gain unauthorized access with high privileges to the system
.  	Leverage these vulnerabilities to attempt to find additional 
vulnerabilities in the server to carry out the "field to field" attack
vectors mentioned in C4's S4 2008 paper "Control System Attack Vectors and
Examples: Field Site and Corporate Network"

Affected Versions
- -------------------------
AB Micrologix 1100
AB Micrologix 1400

- -----------------------
Consult with Rockwell Automation or a SCADA security company on how to
mitigate the found vulnerabilities by restricting access to the control

Additional Information
- -------------------------------
For additional information please contact us at info_at_c4-security.com.
Note that we will respond only to verified utility personnel and
governmental agencies. Details of this vulnerability will be disclosed only
to legitimate parties such as asset owners (utilities), after receiving the
approval of the local CERT or any other local official entity.

The CVE identifier assigned to this vulnerability by CERT is CVE-2009-3739

- --------
These vulnerabilities were discovered and exploited by Eyal Udassin from C4
Security (http://www.c4-security.com).
We would like to thank Rockwell Automation and CERT for their professional
handling of the vulnerability disclosure process.

C4 Security is a leader in SCADA security reviews, auditing and penetration

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967