An undocumented SNMP community string has been discovered in programmable logic controllers (PLCs) built by Allen-Bradley Rockwell Automation that exposes these devices deployed in a number of critical industries to remote attacks.
Researchers at Cisco Talos today said the vulnerability is in the default configuration of MicroLogix 1400 PLC systems. Rockwell Automation, meanwhile, said versions 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, and 1766-L32BXBA are affected.
“This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations,” Cisco Talos wrote in an advisory. “Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.”
According to an advisory published today by the Industrial Control System Cyber Emergency Response Team (ICS-CERT), these PLCs are used in industries such as chemical, manufacturing, food, water, wastewater and others across Europe, the United States and Asia.
Cisco Talos said it also found an undocumented “wheel” string that also enabled read/write capabilities and exposes devices to unauthorized settings changes or firmware updates. Cisco cautions that the wheel string could also allow access to other object identifiers.
SNMP is a protocol used by many products for remote device management; in this case, for the deployment of firmware updates.
“Due to the nature of this product’s firmware update process, this capability cannot be removed from the product,” ICS-CERT said in its advisory.
Rockwell Automation provided a number of mitigations, including the use of a RUN keyswitch to prevent unauthorized firmware updates, and firewall updates to ensure SNMP requests from unauthorized sources are blocked.
“While it is possible for operators to change the default SNMP community strings on affected devices, the fact that this SNMP string is not documented by the vendor drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence,” Cisco Talos said. “Given the severity of this issue, and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments.”