#VU25991 Use of Client-Side Authentication in Rockwell Automation products - CVE-2020-6988
Vulnerability identifier: #VU25991
Vulnerability risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-603
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MicroLogix 1400 Controllers Series A
Client/Desktop applications /
Software for system administration
MicroLogix 1400 Controllers Series B
Client/Desktop applications /
Software for system administration
Allen-Bradley MicroLogix 1100
Hardware solutions /
Office equipment, IP-phones, print servers
RSLogix 500 Software
Client/Desktop applications /
Other client software
Vendor: Rockwell Automation
Description
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information on the system.
The vulnerability exists due to a client/server product performs authentication within client code but not in server code. A remote attacker can send a specially crafted request from the RSLogix 500 software to the victim’s MicroLogix controller. The controller will then respond to the client with used password values to authenticate the user on the client-side.
This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
MicroLogix 1400 Controllers Series A: All versions
MicroLogix 1400 Controllers Series B: 21.001
Allen-Bradley MicroLogix 1100: All versions
RSLogix 500 Software: before 11.00.00
External links
https://ics-cert.us-cert.gov/advisories/icsa-20-070-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
