This afternoon the DHS ICS-CERT published advisories for vulnerabilities in two well known control systems; Rockwell Micrologic 1400 PLCs and SchneiderWEB Server. Both advisories are for coordinated disclosures by outside researchers.
This advisory is for a denial of service vulnerability in the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform. The vulnerability was discovered by Matthew Luallen of CYBATI. Rockwell has produced a firmware revision to mitigate the vulnerability and the efficacy of that fix has been verified by Luallen according to the advisory. The advisory was originally released to the US-CERT Secure Portal on September 11th.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to conduct a denial of service attack.
Interestingly, Matthew is associated with Crain-Sistrunk via Project Robus. Apparently this vulnerability was discovered using the Robus fuzzer. That would mean that fuzzer does more than ‘just’ detect classic Crain-Sistrunk DNP3 vulnerabilities.
This advisory reports a directory traversal vulnerability in the SchneiderWEB server identified by Billy Rios. According to the advisory this affects 22 different products in 66 Part Numbers. Schneider has released firmware updates for some versions of 22 products. The advisory reports that “Rios has tested the update [emphasis added] to validate that it resolves the vulnerability”. There may be some confusion about how Schneider uses the terms “part number” and “product” in their advisory. Billy Rios says that 22 different PLCs are affected.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to affect “unauthenticated administrative access and control over the device”.
Rios reports that there may be 800 of these devices visible on the internet.