Pierluigi Paganini April 25, 2019

A serious flaw in some of Rockwell Automation’s MicroLogix and CompactLogix PLCs can be exploited by a remote attacker to redirect users to malicious websites.

Some of Rockwell Automation’s MicroLogix and CompactLogix PLCs are affected by a serious vulnerability can be exploited by a remote attacker to redirect users to malicious websites.

The vulnerabilyt was tracked as CVE-2019-10955 and received a CVSS score of 7.1 (high severity), it affects MicroLogix 1100 and 1400, and CompactLogix 5370 (L1, L2 and L3) controllers.

Both the ICS-CERT and Rockwell Automation published a security advisory.

The flaw is an open redirect vulnerability that ties the web server running on vulnerable devices. According to the expert, the web server accepts user input from the PLCs web interface and a remote, unauthenticated attacker can inject a malicious link that redirects users from the controller’s web server to a malicious website.

“Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to input a malicious link redirecting users to a malicious website.” reads the advisory published by the US ICS-CERT.

“An open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine.”

According to the attack scenario described in the security advisory published by Rockwell (available to registered users), the malicious website could be used to deliver malware on the user’s machine.

“This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality,” reads the advisory published by Rockwell.

Rockwell has released firmware updates that address the vulnerability for the affected controllers. To mitigate the issue it is possible to disable the web server.

Below the recommendations published by Rockwell Automation to minimize the risk of exploitation of this vulnerability:

• Update to the latest available firmware revision that addresses the associated risk.
• Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

The ICS-CERT credited Josiah Bryan and Giancarlo Palavicini for reporting this vulnerability to NCCIC.

Pierluigi Paganini

(SecurityAffairs – Rockwell, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]