Vulnerability CVE-2016-9334


Published: 2017-02-13

Description:
An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. User credentials are sent to the web server in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server.

Vendor: Rockwellautomation
Product: 1766-l32bxb series a 
Version: 15.004;
Product: 1766-l32bwa series b 
Version: 15.004;
Product: 1766-l32bxba series b 
Version: 15.004;
Product: 1766-l32awa series b 
Version: 15.004;
Product: 1766-l32bxba series a 
Version: 15.004;
Product: 1766-l32awaa series b 
Version: 15.004;
Product: 1766-l32awa series a 
Version: 15.004;
Product: 1766-l32bwaa series b 
Version: 15.004;
Product: 1766-l32awaa series a 
Version: 15.004;
Product: 1766-l32bwa series a 
Version: 15.004;
Product: 1766-l32bxb series b 
Version: 15.004;
Product: 1766-l32bwaa series a 
Version: 15.004;
Product: 1763-l16dwd series b 
Version: 14.000;
Product: 1763-l16bbb series a 
Version: 14.000;
Product: 1763-l16bwa series a 
Version: 14.000;
Product: 1763-l16awa series a 
Version: 14.000;
Product: 1763-l16dwd series a 
Version: 14.000;
Product: 1763-l16bwa series b 
Version: 14.000;
Product: 1763-l16awa series b 
Version: 14.000;
Product: 1763-l16bbb series b 
Version: 14.000;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securityfocus.com/bid/95302
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06

Related CVE
CVE-2018-19282
Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common Industrial Protocol (CIP) network stack. The vulnerability allows the attacker to crash the CIP in a way that it ...
CVE-2019-6553
A vulnerability was found in Rockwell Automation RSLinx Classic versions 4.10.00 and prior. An input validation issue in a .dll file of RSLinx Classic where the data in a Forward Open service request is passed to a fixed size buffer, allowing an atta...
CVE-2018-19016
Rockwell Automation EtherNet/IP Web Server Modules 1756-EWEB (includes 1756-EWEBK) Version 5.001 and earlier, and CompactLogix 1768-EWEB Version 2.005 and earlier. A remote attacker could send a crafted UDP packet to the SNMP service causing a denial...
CVE-2013-2805
Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it receives a datagram with an incorrect...
CVE-2010-5305
The potential exists for exposure of the product's password used to restrict unauthorized access to Rockwell PLC5/SLC5/0x/RSLogix 1785-Lx and 1747-L5x controllers. The potential exists for an unauthorized programming and configuration client to gain ...
CVE-2013-2807
Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an incorrect value for the...
CVE-2013-2806
Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an incorrect value for the...
CVE-2018-18981
In Rockwell Automation FactoryTalk Services Platform 2.90 and earlier, a remote unauthenticated attacker could send numerous crafted packets to service ports resulting in memory consumption that could lead to a partial or complete denial-of-service c...

Copyright 2019, cxsecurity.com

 

Back to Top