{"vuid":"VU#144233","idnumber":"144233","name":"Rockwell Automation Allen-Bradley MicroLogix PLC authentication and authorization vulnerabilities","keywords":["scada","ab","ra","plc"],"overview":"Rockwell Automation Allen-Bradley MicroLogix programmable logic controllers (PLCs) do not adequately authenticate or authorize remote connections or commands. An attacker with network access can obtain the management password or issue commands that bypass the authentication mechanism.","clean_desc":"Rockwell Automation Allen-Bradley MicroLogix PLCs do not adequately authenticate or authorize remote connections or commands. Two vulnerable behaviors have been reported: During the authentication process, the PLC transmits the management password in plain text to the client. When processing remote commands, the PLC checks the session ID but not the password. The PLC will execute any command with a valid session ID, and obtaining an ID does not require the password. It appears that authentication is performed at the client (e.g., RSLogix), as the PLC does not check the password in either case. These vulnerabilities have been reported in the MicroLogix 1100 PLC. Other products in the MicroLogix series may also be affected.","impact":"An attacker with network access to a controller could obtain the management password or issue commands that bypass the authentication mechanism. The attacker could disable the controller or change the configuration.","resolution":"Updated firmware is not available. Consider the workarounds listed below. Also, please see Technotes 65980 and 65982.","workarounds":"Restrict access To reduce exposure to attacks, restrict network access to PLCs. Following the principle of least privilege, control system networks should not be generally accessible from enterprise networks or the internet. Permit only network traffic that is required for control system operation. Change passwords Changing passwords can prevent an attacker from accessing a PLC if the password is changed before the attacker attempts access or if different passwords are used on different PLCs. An attacker with network access can obtain the current password.","sysaffected":"","thanks":"Thanks to Eyal Udassin of C4 Security for researching and \nreporting\n these vulnerabilities. Thanks also to Rockwell Automation for providing technical assistance and developing mitigation techniques.","author":"This document was written by Art Manion.","public":["http://www.securityfocus.com/archive/1/archive/1/508946/100/0/threaded","http://www.ab.com/programmablecontrol/plc/micrologix/index.html","http://www.rockwellautomation.com/rockwellsoftware/design/rslogix5/","http://rockwellautomation.custhelp.com/app/answers/detail/a_id/65980/kw/65980/r_id/113025","http://rockwellautomation.custhelp.com/app/answers/detail/a_id/65982/kw/65982/r_id/113025","http://www.rockwellautomation.com/solutions/security"],"cveids":["CVE-2009-3739"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2009-08-20T14:26:17Z","publicdate":"2009-12-18T00:00:00Z","datefirstpublished":"2010-01-20T04:16:38Z","dateupdated":"2010-06-03T19:38:18Z","revision":23,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"4","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"6","cam_impact":"20","cam_easeofexploitation":"18","cam_attackeraccessrequired":"11","cam_scorecurrent":"8.91","cam_scorecurrentwidelyknown":"11.1375","cam_scorecurrentwidelyknownexploited":"20.0475","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"Not Defined (ND)","cvss_reportconfidence":"Not Defined (ND)","cvss_collateraldamagepotential":"Not Defined (ND)","cvss_targetdistribution":"Not Defined (ND)","cvss_securityrequirementscr":"Not Defined (ND)","cvss_securityrequirementsir":"Not Defined (ND)","cvss_securityrequirementsar":"Not Defined (ND)","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)","metric":8.91,"vulnote":null}