Ethernet/IP Configuration Change affecting MicroLogix 1400™ and 1756 ControlLogix® Ethernet/IP Communication Modules

A vulnerability has been discovered in certain versions of MicroLogix 1400 ™ controllers and 1756 ControlLogix® Ethernet/IP Communication modules, which could potentially allow an IP configuration change to occur even when the controller keyswitch is set to Hard Run. 

A remote, unauthenticated attacker could request a connection with an affected module and then send an IP configuration change request, which may result in a halt of Ethernet/IP traffic between the affected device and the rest of the system.

To determine which Allen-Bradley products are affected by these vulnerabilities, as well as to find out what you can do to mitigate your risk, please refer to the Rockwell Automation Security Advisory Index Knowledgebase article [KB1081928] 

MicroLogix 1400 Controllers, 1756 ControlLogix EtherNet/IP Communication Modules Denial of Service

1081928 | Date Created: 10/12/2018 | Last Updated: 12/07/2018

Version 1.0 – November 6, 2018

Rockwell Automation received a report from ICS-CERT regarding a vulnerability that exists in certain products that, if successfully exploited, can allow a threat actor to disrupt Ethernet communication by allowing Internet Protocol (IP) configuration changes to the affected device in the system. The affected products include MicroLogix™ 1400 controllers, and 1756 ControlLogix® Ethernet/IP Communications Modules.

These products currently adhere to the ODVA EtherNet/IP standard. Rockwell Automation addressed the risks exposed by this specific issue, and have taken additional action with ODVA to produce a standard that improves the security protocol utilized by industrial automation devices including those developed by Rockwell Automation.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details, including affected product versions and mitigation actions, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers

• Series A, All Versions
• Series B, v21.003 and earlier
• Series C, v21.003 and earlier

1756 ControlLogix EtherNet/IP Communications Modules

• 1756-ENBT, All Versions
• 1756-EWEB

• Series A, All Versions
• Series B, All Versions

• 1756-EN2F

• Series A, All Versions
• Series B, All Versions
• Series C, v10.10 and earlier

• 1756-EN2T

• Series A, All Versions
• Series B, All Versions
• Series C, All Versions
• Series D, v10.10 and earlier

• 1756-EN2TR

• Series A, All Versions
• Series B, All Versions
• Series C, v10.10 and earlier

• 1756-EN3TR

• Series A, All Versions
• Series B, v10.10 and earlier

VULNERABILITY DETAILS

An unauthenticated, remote threat actor could potentially send a CIP connection request to an affected device and, upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system. Reason being, the system traffic is still attempting to communicate with the device via the IP address that was overwritten.

Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system (“CVSS”) v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update their firmware are directed towards additional risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

LINKS ABOVE

1. Apply FRN 11.001 and later (Download)
2. Once the new FRN is applied, enable Explicit Protected Mode. See pg. 32 of the EtherNet/IP Network Configuration User Manual (ENET-UM001-EN-P) for details.

NOTE: Customers that are sent here from the Suggested Action column above are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

GENERAL SECURITY GUIDELINES

• Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
• Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site(https://rok.auto/security).

If you have questions regarding this notice, please send an email to Rockwell Automation’s product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 – Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• ICS-CERT Advisory (ICSA-18-310-02)

REVISION HISTORY

Attachments

• File Type pdfKB-1081928_v1.0.pdf (700.9 KB)