This afternoon the DHS ICS-CERT published advisories for
vulnerabilities in two well known control systems; Rockwell Micrologic 1400
PLCs and SchneiderWEB Server. Both advisories are for coordinated disclosures
by outside researchers.
Rockwell Advisory
This advisory is
for a denial of service vulnerability in the DNP3 implementation of the
Allen-Bradley MicroLogix 1400 controller platform. The vulnerability was
discovered by Matthew Luallen of CYBATI.
Rockwell has produced a firmware revision to mitigate the vulnerability and the
efficacy of that fix has been verified by Luallen according to the advisory. The
advisory was originally released to the US-CERT Secure Portal on September 11th.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to conduct a denial of service attack.
Interestingly, Matthew is associated with Crain-Sistrunk via
Project Robus. Apparently
this vulnerability was discovered using the Robus fuzzer. That would mean that
fuzzer does more than ‘just’ detect classic Crain-Sistrunk DNP3
vulnerabilities.
Schneider Advisory
This advisory
reports a directory traversal vulnerability in the SchneiderWEB server
identified by Billy Rios. According to the advisory this affects 22 different
products in 66 Part Numbers. Schneider has released firmware updates for some
versions of 22 products. The advisory reports that “Rios has tested the update [emphasis added] to validate that it resolves
the vulnerability”. There may be some confusion about how Schneider uses the
terms “part number” and “product” in their
advisory. Billy Rios says that 22
different PLCs are affected.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to affect “unauthenticated
administrative access and control over the device”.
Rios reports that
there may be 800 of these devices visible on the internet.