Multiple vulnerabilities in Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2017-7898 CVE-2017-7899 CVE-2017-7901 CVE-2017-7902 CVE-2017-7903 |
| CWE-ID | CWE-307 CWE-598 CWE-343 CWE-323 CWE-521 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Allen-Bradley MicroLogix 1400 Hardware solutions / Office equipment, IP-phones, print servers Allen-Bradley MicroLogix 1100 Hardware solutions / Office equipment, IP-phones, print servers |
| Vendor | Rockwell Automation |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Authentication bypass
EUVDB-ID: #VU6695
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7898
CWE-ID:
CWE-307 - Improper Restriction of Excessive Authentication Attempts
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform brute-force attack.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can repeatedly enter incorrect passwords to gain unauthorized access to the system.
Successful exploitation of the vulnerability may result in unauthorized access to vulnerable system.Mitigation
Update to version 21.00
Allen-Bradley MicroLogix 1400: 1766-L32AWAA 16.00 - 1766-L32AWA 16.00
Allen-Bradley MicroLogix 1100: 1763-L16DWD 16.00 - 1763-L16AWA 16.00
CPE2.3- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32AWAA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXBA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXB 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16DWD 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BWA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BBB 16.00:*:*:*:*:*:*:
http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU6696
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7899
CWE-ID:
CWE-598 - Information Exposure Through Query Strings in GET Request
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to an error when sending credentials to the web server using the HTTP GET method, which may result in the credentials being logged.
Successful exploitation of the vulnerability may result in unauthorized retrieval of the user credentials.Mitigation
Update to version 21.00
Allen-Bradley MicroLogix 1400: 1766-L32AWAA 16.00 - 1766-L32AWA 16.00
Allen-Bradley MicroLogix 1100: 1763-L16DWD 16.00 - 1763-L16AWA 16.00
CPE2.3- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32AWAA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXBA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXB 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16DWD 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BWA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BBB 16.00:*:*:*:*:*:*:
http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU6697
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7901
CWE-ID:
CWE-343 - Predictable Value Range from Previous Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to generation of insufficiently random TCP initial sequence numbers. A remote attacker can predict the numbers from previous values and spoof or disrupt TCP connections.
Successful exploitation of the vulnerability may result in denial of service.Mitigation
Update to version 21.00
Allen-Bradley MicroLogix 1400: 1766-L32AWAA 16.00 - 1766-L32AWA 16.00
Allen-Bradley MicroLogix 1100: 1763-L16DWD 16.00 - 1763-L16AWA 16.00
CPE2.3- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32AWAA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXBA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXB 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16DWD 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BWA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BBB 16.00:*:*:*:*:*:*:
http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Denial of service
EUVDB-ID: #VU6698
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7902
CWE-ID:
CWE-323 - Reusing a Nonce, Key Pair in Encryption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to reuse of nonces by the affected software. A remote attacker can capture and replay a valid request until the nonce is changed.
Successful exploitation of the vulnerability may result in denial of service.Mitigation
Update to version 21.00
Allen-Bradley MicroLogix 1400: 1766-L32AWAA 16.00 - 1766-L32AWA 16.00
Allen-Bradley MicroLogix 1100: 1763-L16DWD 16.00 - 1763-L16AWA 16.00
CPE2.3- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32AWAA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXBA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXB 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16DWD 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BWA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BBB 16.00:*:*:*:*:*:*:
http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Authentication bypass
EUVDB-ID: #VU6699
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7903
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform brute-force attack.
The vulnerability exists due to weak password requirements. A remote attacker can brute-force account passwords and bypass authentication on the system.
Mitigation
Update to version 21.00
Allen-Bradley MicroLogix 1400: 1766-L32AWAA 16.00 - 1766-L32AWA 16.00
Allen-Bradley MicroLogix 1100: 1763-L16DWD 16.00 - 1763-L16AWA 16.00
CPE2.3- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32AWAA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXBA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1400:1766-L32BXB 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16DWD 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BWA 16.00:*:*:*:*:*:*:
- cpe:2.3:h:rockwell_automation:allen-bradley_micrologix_1100:1763-L16BBB 16.00:*:*:*:*:*:*:
http://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
