Rockwell Automation AB Micrologix控制器口令泄露和绕过安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1180618 漏洞类型 Design Error
发布时间 2010-01-15 更新时间 2010-01-20
CVE编号 CVE-2009-3739 CNNVD-ID CNNVD-201001-208
漏洞平台 N/A CVSS评分 10.0
Vendor product information, from :
With online editing and a built-in 10/100 Mbps EtherNet/IP port for
peer-to-peer messaging, the MicroLogix 1100 controller adds greater
connectivity and application coverage to the MicroLogix family of
Allen-Bradley controllers. This next generation controller's built-in LCD
screen displays controller status, I/O status, and simple operator messages;
enables bit and integer manipulation; offers digital trim pot functionality,
and a means to make operating mode changes (Prog / Remote / Run).
With 10 digital inputs, 2 analog inputs and 6 digital outputs, the
MicroLogix 1100 can handle a wide variety of tasks. The MicroLogix 1100
controllers also support expansion I/O. Up to four 1762 I/O modules (also
used on the MicroLogix 1200 and 1400) may be added to the embedded I/O,
providing application flexibility and support of up to 80 digital I/O.

Due to the sensitivity of SCADA-related vulnerabilities, we can only
publicly disclose that the Micrologix 1100 and 1400 controllers suffer from
multiple vulnerabilities that allow unauthorized control of the PLC.
Details of these vulnerabilities will be disclosed only to legitimate
parties such as asset owners (utilities), after receiving the approval of
the local CERT or any other local official entity.

An attacker can exploit these vulnerabilities in order to:
.  	Halt the system's operation (Denial of Service)
.  	Gain unauthorized access with high privileges to the system
.  	Leverage these vulnerabilities to attempt to find additional 
vulnerabilities in the server to carry out the "field to field" attack
vectors mentioned in C4's S4 2008 paper "Control System Attack Vectors and
Examples: Field Site and Corporate Network"

Affected Versions
AB Micrologix 1100
AB Micrologix 1400

Consult with Rockwell Automation or a SCADA security company on how to
mitigate the found vulnerabilities by restricting access to the control

Additional Information
For additional information please contact us at
Note that we will respond only to verified utility personnel and
governmental agencies. Details of this vulnerability will be disclosed only
to legitimate parties such as asset owners (utilities), after receiving the
approval of the local CERT or any other local official entity.

The CVE identifier assigned to this vulnerability by CERT is CVE-2009-3739

These vulnerabilities were discovered and exploited by Eyal Udassin from C4
Security (
We would like to thank Rockwell Automation and CERT for their professional
handling of the vulnerability disclosure process.

C4 Security is a leader in SCADA security reviews, auditing and penetration
Rockwell Automation Micrologix 1400 0 Rockwell Automation Micrologix 1100 0