Rockwell Automation has patched a handful of vulnerabilities in its Allen-Bradley MicroLogix programmable logic controllers, including one that researchers say can be exploited with a single malicious URL.
Members of CyberX’s research team disclosed details on the vulnerability Wednesday at the 2015 ICS Cyber Security Conference. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also issued an advisory about the flaws.
The so-called FrostyURL vulnerability affects the Allen-Bradley MicroLogix 1100 PLC used to control industrial processes in a number of critical industries. CyberX, a security vendor operating in the industrial control system and SCADA markets, said that a single click of a maliciously crafted URL could affect an operational network.
“It blew our minds how simple it is,” said Nir Giller, CyberX CTO.
CyberX said its researchers built custom firmware and managed to upload it to the PLC, which simulated debugging and enabled remote code execution and memory dumps. The custom firmware bypassed existing security protections that are supposed to prevent flashing of unsigned firmware, the researchers said in a statement.
“This was an ‘Open-Sesame’ moment, as it enabled us to dump all of the PLC’s memory and thus observe the effects of different exploitation techniques we tried later on,” said researcher David Atch. “We successfully reverse engineered the PLC firmware, and we are sure we can find and exploit additional vulnerabilities.”
ICS-CERT said the remaining vulnerabilities were found by Ilya Karpov of Positive Technologies and by independent researcher Aditya Sood.
The flaws, ranging from memory corruption issues to unrestricted file uploads, cross-site scripting and SQL injection flaws, enable attackers to not only remotely execute code, but also elevate privileges or launch denial of service attacks.
Rockwell Automation has patched all but the buffer overflow vulnerability in the Allen-Bradley MicroLogix 1400, which it said will be patched in upcoming firmware.
According to ICS-CERT, the following Allen-Bradley MicroLogix 1100 controller platforms are affected:
- 1763-L16AWA, Series B, Version 14.000 and prior versions,
- 1763-L16BBB, Series B, Version 14.000 and prior versions,
- 1763-L16BWA, Series B, Version 14.000 and prior versions,
- 1763-L16DWD, Series B, Version 14.000 and prior versions,
- 1763-L16AWA, Series A, Version 14.000 and prior versions,
- 1763-L16BBB, Series A, Version 14.000 and prior versions,
- 1763-L16BWA, Series A, Version 14.000 and prior versions, and
- 1763-L16DWD, Series A, Version 14.000 and prior versions.
The following Allen-Bradley MicroLogix 1400 controller platforms are affected:
- 1766-L32AWA, Series B, Version 15.002 and prior versions,
- 1766-L32AWAA, Series B, Version 15.002 and prior versions,
- 1766-L32BWA, Series B, Version 15.002 and prior versions,
- 1766-L32BWAA, Series B, Version 15.002 and prior versions,
- 1766-L32BXB, Series B, Version 15.002 and prior versions,
- 1766-L32BXBA, Series B, Version 15.002 and prior versions,
- 1766-L32AWA, Series A, Version 15.002 and prior versions,
- 1766-L32AWAA, Series A, Version 15.002 and prior versions,
- 1766-LK32BWA, Series A, Version 15.002 and prior versions,
- 1766-L32BWAA, Series A, Version 15.002 and prior versions,
- 1766-L32BXB, Series A, Version 15.002 and prior versions, and
- 1766-L32BXBA, Series A, Version 15.002 and prior versions.
