Background
-----------------
Vendor product information, from www.ab.com :
With online editing and a built-in 10/100 Mbps EtherNet/IP port for
peer-to-peer messaging, the MicroLogix 1100 controller adds greater
connectivity and application coverage to the MicroLogix family of
Allen-Bradley controllers. This next generation controller's built-in LCD
screen displays controller status, I/O status, and simple operator messages;
enables bit and integer manipulation; offers digital trim pot functionality,
and a means to make operating mode changes (Prog / Remote / Run).
With 10 digital inputs, 2 analog inputs and 6 digital outputs, the
MicroLogix 1100 can handle a wide variety of tasks. The MicroLogix 1100
controllers also support expansion I/O. Up to four 1762 I/O modules (also
used on the MicroLogix 1200 and 1400) may be added to the embedded I/O,
providing application flexibility and support of up to 80 digital I/O.
Description
----------------
Due to the sensitivity of SCADA-related vulnerabilities, we can only
publicly disclose that the Micrologix 1100 and 1400 controllers suffer from
multiple vulnerabilities that allow unauthorized control of the PLC.
Details of these vulnerabilities will be disclosed only to legitimate
parties such as asset owners (utilities), after receiving the approval of
the local CERT or any other local official entity.
Impact
----------
An attacker can exploit these vulnerabilities in order to:
. Halt the system's operation (Denial of Service)
. Gain unauthorized access with high privileges to the system
. Leverage these vulnerabilities to attempt to find additional
vulnerabilities in the server to carry out the "field to field" attack
vectors mentioned in C4's S4 2008 paper "Control System Attack Vectors and
Examples: Field Site and Corporate Network"
(http://www.c4-security.com/index-5.html).
Affected Versions
-------------------------
AB Micrologix 1100
AB Micrologix 1400
Workaround/Fix
-----------------------
Consult with Rockwell Automation or a SCADA security company on how to
mitigate the found vulnerabilities by restricting access to the control
network.
Additional Information
-------------------------------
For additional information please contact us at info_at_c4-security.com.
Note that we will respond only to verified utility personnel and
governmental agencies. Details of this vulnerability will be disclosed only
to legitimate parties such as asset owners (utilities), after receiving the
approval of the local CERT or any other local official entity.
The CVE identifier assigned to this vulnerability by CERT is CVE-2009-3739
Credit
--------
These vulnerabilities were discovered and exploited by Eyal Udassin from C4
Security (http://www.c4-security.com).
We would like to thank Rockwell Automation and CERT for their professional
handling of the vulnerability disclosure process.
C4 Security is a leader in SCADA security reviews, auditing and penetration
testing.