Vulnerability could give attackers control of Rockwell PLCs
Cisco’s “threat intelligence organisation” Talos has discovered a vulnerability in Rockwell Automation’s MicroLogix 1400 PLCs that could allow cyber-attackers to take control of affected devices and to manipulate their settings, replace their firmware or disrupt their operation in other ways.
Depending on the role of the affected PLC within an industrial control process, this “could result in significant damages”, Talos warns.
The US government’s US Government’s Industrial Control Systems Cyber-Emergency Response Team (ICS-Cert) has issued an advisory notice saying that an attacker with “a low skill” could exploit the vulnerability, but adding that that there are no known public exploits that target the vulnerability.
The vulnerability is due to the presence of an undocumented SNMP (Simple Network Management Protocol) string in the default configuration that is shipped with devices running affected versions of firmware. Talos has tested versions 7–15.004.
SNMP is used in many IP-based products to allow centralised or remote management. For example, it can allow users to manage a product’s firmware, including applying firmware updates. The MicroLogix 1400 PLCs use this as the official mechanism for applying firmware updates.
In addition to documented SNMP strings, the affected PLCs also use an undocumented string that cyber-attackers could exploit to make unauthorised changes to the PLCs. ICS-Cert says that due to the PLC’s firmware update process, this capability cannot be removed.
While operators can change the default SNMP community strings, the fact that this SNMP string is not documented “drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence”, Talos warns.
“Given the severity of this issue,” it continues, “and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments.”
Rockwell Automation has issued a list of mitigation strategies that it recommends users of affected versions of the MicroLogix 1400 should evaluate and deploy. Where possible, several of the strategies should be employed simultaneously. They include:
• Using the PLC’s Run keyswitch setting to prevent unauthorised and undesired firmware updates and other disruptive configuration changes.
• Using network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorised sources are blocked.
• Disabling the SNMP service on the PLC – this service is enabled by default.
• Minimising network exposure for all control devices and systems and ensuring that they are not accessible from the Internet.
• Locating control system networks and devices behind firewalls, and isolating them from business networks.
• And, when remote access is required, using secure methods, such as virtual private networks (VPNs), recognising that VPNs may have vulnerabilities and should be updated to the latest version.
Last year, Rockwell Automation issued firmware updates for some of its MicroLogic 1100 and 1400 PLCs to tackle security vulnerabilities that, if left unpatched, could allow remote cyber-attackers to interfere with the PLCs’ operation.