Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0051 C4 SCADA Security Advisory Rockwell Automation (Allen Bradley) Multiple Vulnerabilities in Micrologix 1100 & 1400 Series Controllers 18 January 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Micrologix 1100 Series Controllers Micrologix 1400 Series Controllers Publisher: c4-security Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2009-3739 Original Bulletin: http://www.scada-security.com/vulnerabilities/rockwellautomation1.html - --------------------------BEGIN INCLUDED TEXT-------------------- Background - ----------------- Vendor product information, from www.ab.com : With online editing and a built-in 10/100 Mbps EtherNet/IP port for peer-to-peer messaging, the MicroLogix 1100 controller adds greater connectivity and application coverage to the MicroLogix family of Allen-Bradley controllers. This next generation controller's built-in LCD screen displays controller status, I/O status, and simple operator messages; enables bit and integer manipulation; offers digital trim pot functionality, and a means to make operating mode changes (Prog / Remote / Run). With 10 digital inputs, 2 analog inputs and 6 digital outputs, the MicroLogix 1100 can handle a wide variety of tasks. The MicroLogix 1100 controllers also support expansion I/O. Up to four 1762 I/O modules (also used on the MicroLogix 1200 and 1400) may be added to the embedded I/O, providing application flexibility and support of up to 80 digital I/O. Description - ---------------- Due to the sensitivity of SCADA-related vulnerabilities, we can only publicly disclose that the Micrologix 1100 and 1400 controllers suffer from multiple vulnerabilities that allow unauthorized control of the PLC. Details of these vulnerabilities will be disclosed only to legitimate parties such as asset owners (utilities), after receiving the approval of the local CERT or any other local official entity. Impact - ---------- An attacker can exploit these vulnerabilities in order to: . Halt the system's operation (Denial of Service) . Gain unauthorized access with high privileges to the system . Leverage these vulnerabilities to attempt to find additional vulnerabilities in the server to carry out the "field to field" attack vectors mentioned in C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site and Corporate Network" (http://www.c4-security.com/index-5.html). Affected Versions - ------------------------- AB Micrologix 1100 AB Micrologix 1400 Workaround/Fix - ----------------------- Consult with Rockwell Automation or a SCADA security company on how to mitigate the found vulnerabilities by restricting access to the control network. Additional Information - ------------------------------- For additional information please contact us at info_at_c4-security.com. Note that we will respond only to verified utility personnel and governmental agencies. Details of this vulnerability will be disclosed only to legitimate parties such as asset owners (utilities), after receiving the approval of the local CERT or any other local official entity. The CVE identifier assigned to this vulnerability by CERT is CVE-2009-3739 Credit - -------- These vulnerabilities were discovered and exploited by Eyal Udassin from C4 Security (http://www.c4-security.com). We would like to thank Rockwell Automation and CERT for their professional handling of the vulnerability disclosure process. C4 Security is a leader in SCADA security reviews, auditing and penetration testing. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLU7rWNVH5XJJInbgRAruiAJ9tTeRgOddtqOgntEALFfk7ksQ5qwCdFLjS yGjt8m+LChjk8KmhAqTajrc= =3aTm -----END PGP SIGNATURE-----