Missing authentication for critical function in Rockwell Automation products - CVE-2018-17924
Published: December 6, 2018 / Updated: December 7, 2018
Vulnerability identifier: #VU16330
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-17924
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Rockwell Automation
Affected software:
1756-EN3TR Series B
1756-EN3TR Series A
1756-EN2TR Series C
1756-EN2TR Series B
1756-EN2TR Series A
1756-EN2T Series D
1756-EN2T Series C
1756-EN2T Series B
1756-EN2T Series A
1756-EN2F Series C
1756-EN2F Series B
1756-EN2F Series A
1756-EWEB Series B
1756-EWEB Series A
1756-ENBT
MicroLogix 1400 Controller Series C
MicroLogix 1400 Controllers Series B
MicroLogix 1400 Controllers Series A
1756-EN3TR Series B
1756-EN3TR Series A
1756-EN2TR Series C
1756-EN2TR Series B
1756-EN2TR Series A
1756-EN2T Series D
1756-EN2T Series C
1756-EN2T Series B
1756-EN2T Series A
1756-EN2F Series C
1756-EN2F Series B
1756-EN2F Series A
1756-EWEB Series B
1756-EWEB Series A
1756-ENBT
MicroLogix 1400 Controller Series C
MicroLogix 1400 Controllers Series B
MicroLogix 1400 Controllers Series A
Detailed vulnerability description
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to a loss of communication between the device and the rest of the system when the affected device accepts this new IP configuration as the system traffic is still attempting to communicate with the device via the overwritten IP address.. A remote attacker can send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode.
How to mitigate CVE-2018-17924
Install update from vendor's website.