Bug in Rockwell’s PLCs allows attackers to modify firmware

There is an undocumented SNMP community string in Rockwell Automation’s MicroLogix 1400 programmable logic controllers that can be exploited by attackers to remotely change settings or modify the device firmware, and therefore compromise the PLCs.

The vulnerability was found by Cisco Talos researcher Patrick DeSantis in versions 7 to 15.004 of the PLC systems (a full list of vulnerable product can be found here).

The affected PLCs are intended for use in general industrial machinery, HVAC / building automation, SCADA, commercial machinery, etc.

According to the US ICS-CERT, the vulnerability could be exploited by a low skilled attacker, but there are currently no known public exploits that specifically target this flaw.

“SNMP is a standard protocol employed by many types of internet protocol based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product’s firmware, including the capability of applying firmware updates to the product. The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product,” ICS-CERT explained.

Rockwell Automation has been informed of the issue, but unfortunately can’t remove the capability from the product.

Operators are, therefore, advised to minimize the risk of the flaw being exploited by doing things like utilizing proper network infrastructure controls to block SNMP requests from unauthorized sources, and using the product’s “RUN” keyswitch setting to prevent unauthorized firmware update operations.