Multiple vulnerabilities in Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400



Published: 2017-05-24
Risk High
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2017-7898
CVE-2017-7899
CVE-2017-7901
CVE-2017-7902
CVE-2017-7903
CWE-ID CWE-307
CWE-598
CWE-343
CWE-323
CWE-521
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Allen-Bradley MicroLogix 1400
Hardware solutions / Office equipment, IP-phones, print servers

Allen-Bradley MicroLogix 1100
Hardware solutions / Office equipment, IP-phones, print servers

Vendor Rockwell Automation

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Authentication bypass

EUVDB-ID: #VU6695

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7898

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform brute-force attack.

The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can repeatedly enter incorrect passwords to gain unauthorized access to the system.

Successful exploitation of the vulnerability may result in unauthorized access to vulnerable system.

Mitigation

Update to version 21.00

Vulnerable software versions

Allen-Bradley MicroLogix 1400: 1766-L32AWA 16.00 - 1766-L32BXBA 16.00

Allen-Bradley MicroLogix 1100: 1763-L16AWA 16.00 - 1763-L16DWD 16.00

External links

http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU6696

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7899

CWE-ID: CWE-598 - Information Exposure Through Query Strings in GET Request

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to an error when sending credentials to the web server using the HTTP GET method, which may result in the credentials being logged.

Successful exploitation of the vulnerability may result in unauthorized retrieval of the user credentials.

Mitigation

Update to version 21.00

Vulnerable software versions

Allen-Bradley MicroLogix 1400: 1766-L32AWA 16.00 - 1766-L32BXBA 16.00

Allen-Bradley MicroLogix 1100: 1763-L16AWA 16.00 - 1763-L16DWD 16.00

External links

http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Denial of service

EUVDB-ID: #VU6697

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7901

CWE-ID: CWE-343 - Predictable Value Range from Previous Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to generation of insufficiently random TCP initial sequence numbers. A remote attacker can predict the numbers from previous values and spoof or disrupt TCP connections.

Successful exploitation of the vulnerability may result in denial of service.

Mitigation

Update to version 21.00

Vulnerable software versions

Allen-Bradley MicroLogix 1400: 1766-L32AWA 16.00 - 1766-L32BXBA 16.00

Allen-Bradley MicroLogix 1100: 1763-L16AWA 16.00 - 1763-L16DWD 16.00

External links

http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Denial of service

EUVDB-ID: #VU6698

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7902

CWE-ID: CWE-323 - Reusing a Nonce, Key Pair in Encryption

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to reuse of nonces by the affected software. A remote attacker can capture and replay a valid request until the nonce is changed.

Successful exploitation of the vulnerability may result in denial of service.

Mitigation

Update to version 21.00

Vulnerable software versions

Allen-Bradley MicroLogix 1400: 1766-L32AWA 16.00 - 1766-L32BXBA 16.00

Allen-Bradley MicroLogix 1100: 1763-L16AWA 16.00 - 1763-L16DWD 16.00

External links

http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Authentication bypass

EUVDB-ID: #VU6699

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7903

CWE-ID: CWE-521 - Weak Password Requirements

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform brute-force attack.

The vulnerability exists due to weak password requirements. A remote attacker can brute-force account passwords and bypass authentication on the system.

Successful exploitation of the vulnerability may result in unauthorized access to vulnerable system.

Mitigation

Update to version 21.00

Vulnerable software versions

Allen-Bradley MicroLogix 1400: 1766-L32AWA 16.00 - 1766-L32BXBA 16.00

Allen-Bradley MicroLogix 1100: 1763-L16AWA 16.00 - 1763-L16DWD 16.00

External links

http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###