Vulnerabilities in Rockwell Automation controllers found by Positive Technologies

Attackers can obtain remote access to а controller's diagnostic interface, although controller operation is not directly affected.

Positive Technologies has discovered vulnerabilities in Allen-Bradley MicroLogix 1100 and 1400 programmable logic controllers (PLCs) produced by Rockwell Automation. PLCs are used by industries worldwide as diverse as printing, pharmaceuticals, chemistry, foodstuffs, water supply, and sewage treatment.

Vulnerability CVE-2016-9334, with a CVSS v3 score of 6.5, relates to a failure to encrypt sensitive information during transmission via the PLC web service. Controllers with old firmware are unable to use the HTTPS protocol or turn off the web service, so all credentials are transmitted in the clear, making this information vulnerable to interception. To intercept credentials in such a scenario, an attacker would need to access traffic between the web browser and PLC by performing a man-in-the-middle (MitM) attack.

The second vulnerability, CVE-2016-9338, is scored at 2.7 by CVSS v3 and makes it possible for a user of the web service with administrator rights to delete all users, including the user's own account. An attacker could craft a special link or outright delete all system users, causing the web service to fail. Restoring full operation after such an attack would require a factory reset of the PLC, which involves physical access and updating the device firmware.

“These vulnerabilities do not pose a direct threat to critical processes, but they enable an attacker to fully disable one of the diagnostic services on the PLC or leverage it as part of a more complex attack. Such complex attacks could be more severe and lead to disruption or serious harm,” commented Ilya Karpov, Head of the ICS Research and Audit Unit at Positive Technologies. “Exploiting these vulnerabilities does not take a high degree of skill.”

Previously, in 2015, Rockwell Automation acknowledged the existence of two other vulnerabilities in Allen-Bradley MicroLogix 1100 and 1400 PLCs. Ilya Karpov and Alexey Osipov discovered support for cross-site scripting on the PLC web server. Hackers could take advantage of this support to remotely insert arbitrary JavaScript or HTML code to run in a web browser with the privileges of the current user (vulnerability CVE-2015-6488, CVSS v3 score 4.7).

In another flaw discovered by Ilya Karpov, SQL injection was possible due to improper sanitizing of data inputs. As a result, authenticated remote users could create or delete accounts, as well as escalate their privileges, by using malformed links (vulnerability CVE-2015-6486, CVSS v3 score 3.7).

To address the most recently found vulnerabilities, firmware updates are required: MicroLogix 1100 version 15.000 and MicroLogix 1400 version 16.000. Descriptions of the vulnerabilities and relevant security measures are provided in two ICS-CERT bulletins (ICSA-16-336-06, ICSA-15-300-03A).

MicroLogix programmable logic controllers have been used for the last three years in critical infrastructure hacking contests at the PHDays international security forum organized by Positive Technologies. In 2014, in the Critical Infrastructure Attack competition for hacking a mock “smart city,” Nikita Maximov and Pavel Markov took second place by cracking the password for the MicroLogix 1400 controller web interface; in the competition, the controller was responsible for controlling the boom barrier at a train crossing (at the forum in later years, it was responsible for track switching).

Positive Technologies develops a number of products, customized for industrial protocols, to detect vulnerabilities and cyberincidents on SCADA systems.