Rockwell Automation ControlLogix PLC Vulnerabilities

CVEs (8)

Remediations

• According to Rockwell, any of the above products that become affected by a vulnerability can be reset by rebooting or power cycling the affected product. After the reboot, the affected product may require some reconfiguration.
• To mitigate the vulnerabilities, Rockwell has developed and released security patches on July 18, 2012, to address each of the issues. To download and install the patches please refer to Rockwell’s Advisories at: (https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154)
• (https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155)
• (https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156)
• For more information on security with Rockwell Automation products, please refer to Rockwell’s Security Advisory Index.(http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102)
• Rockwell recommends updating to the newest firmware patches to fix the vulnerabilities, but if not able to do so right away, then Rockwell advises immediately employing the following mitigations for each of the affected products.
• To mitigate the vulnerabilities pertaining to receiving valid CIP packets: Block all traffic to the Ethernet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Ports 2222 and 44818 using appropriate security technology such as a firewall or Unified Threat Management (UTM). Employ a UTM appliance that specifically supports CIP message filtering.
• To mitigate the vulnerability pertaining to the corrupted firmware update: At this time, Rockwell is still evaluating the feasibility of creating an update for the 1756-ENBT communication module to include a digital signature validation mechanism on the firmware. Until Rockwell creates an update, concerned customers are recommended to employ good security design practices and consider using the more contemporary 1756-EN2T Ethernet/IP communication modules for the ControlLogix platform. The 1756-EN2T has been able to validate digital signatures since firmware Release 5.028.
• To mitigate receiving malformed CIP packets that can cause the controller to enter a fault state: Where possible, Rockwell recommends users to upgrade the affected products to Logix Release V20 and higher.
• To mitigate receiving valid CIP packets that instruct the controller to stop logic execution and enter a fault state: Where possible, upgrade CompactLogix and SoftLogix affected products to Logix Release V20 or higher. Where possible, upgrade ControlLogix and GuardLogix affected products to Logix Release v20.012 or higher. Block all traffic to the Ethernet/IP or other CIP protocol devices as directed above. Employ a UTM as directed above.
• To mitigate the vulnerability with the Web server password authentication mechanism: Upgrade the MicroLogix 1400 firmware to FRN 12 or higher. Because of limitations in the MicroLogix 1100 platform, none of the firmware updates will be able to fix this issue, so users should use the following techniques to help reduce the likelihood of compromise. Where possible, disable the Web server and change all default Administrator and Guest passwords. If Web server functionality is needed, then Rockwell recommends upgrading the product’s firmware to the most current version to have the newest enhanced protections available such as: When a controller receives two consecutive invalid authentication requests from an HTTP client, the controller resets the Authentication Counter after 60 minutes. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid authentication packets until a 24-hour HTTP Server Lock Timer timeout. If Web server functionality is needed, Rockwell also recommends configuring user accounts to have READ only access to the product so those accounts cannot be used to make configuration changes.
• In addition to the above, Rockwell recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, they suggest you apply multiple recommendations and complement this list with your own best-practices: Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to (http://www.ab.com/networks/architectures.html) for comprehensive information about implementing validated architectures designed to deliver these measures. Restrict physical and electronic access to automation products, networks, and systems to only those individuals authorized to be in contact with control system equipment. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked. Use up-to-date end-point protection software (e.g., antivirus/antimalware software) on all PC-based assets. Make sure that software and control system device firmware is patched to current releases. Periodically change passwords in control system components and infrastructure devices. Where applicable, set the controller key-switch/mode-switch to RUN mode.

Affected Vendors

Affected Products (16)