Rockwell Automation AB Micrologix控制器口令泄露和绕过安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1180618 漏洞类型 Design Error
发布时间 2010-01-15 更新时间 2010-01-20
CVE编号 CVE-2009-3739 CNNVD-ID CNNVD-201001-208
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/37827
https://cxsecurity.com/issue/WLB-2010010060
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201001-208
|漏洞详情
MicroLogix是工业自动化领域广泛使用的系列小型可编程控制器。MicroLogix控制器的通讯协议存在控制器口令泄露和绕过安全限制漏洞。远程攻击者可以借助未明向量,获得特权访问或引起拒绝服务。
|漏洞EXP
Background
-----------------
Vendor product information, from www.ab.com :
With online editing and a built-in 10/100 Mbps EtherNet/IP port for
peer-to-peer messaging, the MicroLogix 1100 controller adds greater
connectivity and application coverage to the MicroLogix family of
Allen-Bradley controllers. This next generation controller's built-in LCD
screen displays controller status, I/O status, and simple operator messages;
enables bit and integer manipulation; offers digital trim pot functionality,
and a means to make operating mode changes (Prog / Remote / Run).
With 10 digital inputs, 2 analog inputs and 6 digital outputs, the
MicroLogix 1100 can handle a wide variety of tasks. The MicroLogix 1100
controllers also support expansion I/O. Up to four 1762 I/O modules (also
used on the MicroLogix 1200 and 1400) may be added to the embedded I/O,
providing application flexibility and support of up to 80 digital I/O.

Description
----------------
Due to the sensitivity of SCADA-related vulnerabilities, we can only
publicly disclose that the Micrologix 1100 and 1400 controllers suffer from
multiple vulnerabilities that allow unauthorized control of the PLC.
Details of these vulnerabilities will be disclosed only to legitimate
parties such as asset owners (utilities), after receiving the approval of
the local CERT or any other local official entity.

Impact
----------
An attacker can exploit these vulnerabilities in order to:
.  	Halt the system's operation (Denial of Service)
.  	Gain unauthorized access with high privileges to the system
.  	Leverage these vulnerabilities to attempt to find additional 
vulnerabilities in the server to carry out the "field to field" attack
vectors mentioned in C4's S4 2008 paper "Control System Attack Vectors and
Examples: Field Site and Corporate Network"
(http://www.c4-security.com/index-5.html).

Affected Versions
-------------------------
AB Micrologix 1100
AB Micrologix 1400

Workaround/Fix
-----------------------
Consult with Rockwell Automation or a SCADA security company on how to
mitigate the found vulnerabilities by restricting access to the control
network.

Additional Information
-------------------------------
For additional information please contact us at info_at_c4-security.com.
Note that we will respond only to verified utility personnel and
governmental agencies. Details of this vulnerability will be disclosed only
to legitimate parties such as asset owners (utilities), after receiving the
approval of the local CERT or any other local official entity.

The CVE identifier assigned to this vulnerability by CERT is CVE-2009-3739

Credit
--------
These vulnerabilities were discovered and exploited by Eyal Udassin from C4
Security (http://www.c4-security.com).
We would like to thank Rockwell Automation and CERT for their professional
handling of the vulnerability disclosure process.

C4 Security is a leader in SCADA security reviews, auditing and penetration
testing.
|受影响的产品
Rockwell Automation Micrologix 1400 0 Rockwell Automation Micrologix 1100 0
|参考资料

来源:BUGTRAQ
名称:20100115C4SCADASecurityAdvisory-RockwellAutomation(AllenBradley)MultipleVulnerabilitiesinMicrologix1100&1400SeriesControllers
链接:http://www.securityfocus.com/archive/1/archive/1/508946/100/0/threaded
来源:NSFOCUS
名称:14370
链接:http://www.nsfocus.net/vulndb/14370