ICS-CERT Published Two Rockwell Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Rockwell Automation. Both advisories were previously published on the NCCIC Portal library (formerly US-CERT Secure Portal) to provide critical infrastructure owners time to implement mitigation measures before the vulnerabilities were publicly reported.

MicroLogix Advisory

This advisory describes two vulnerabilities in the Rockwell Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems. The vulnerabilities were reported by Alexey Osipov and Ilya Karpov of Positive Technologies. Rockwell has developed new firmware versions to mitigate the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Clear-text transmission of sensitive information - CVE-2016-9334; and

• Incorrect permission assignment for critical resource - CVE-2016-9338;

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to gain unauthorized access to affected devices, as well as impact the availability of affected devices.

Logix Advisory

This advisory describes a buffer overflow vulnerability in the Rockwell Automation Logix5000 Programmable Automation Controller product line. The vulnerability is apparently self-reported. Rockwell has developed new firmware versions to mitigate the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to cause a denial of service at a controller or execute code on a target controller.