Talos Vulnerability Report

TALOS-2020-1057

Allen-Bradley MicroLogix 1100 programmable logic controller systems IPv4 denial-of-service vulnerability

October 13, 2020
CVE Number

CVE-2020-6111

Summary

An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and Series B FRN 10.000. A specially crafted packet can cause a major error, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 10.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 11.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 12.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 13.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 14.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 15.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 15.002
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000

Product URLs

https://ab.rockwellautomation.com/Programmable-Controllers/MicroLogix-1100

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-189 - Numeric Errors

Details

Rockwell Automation Allen-Bradley MicroLogix 1100 Programmable Logic Controllers (PLCs) are marketed for use in a variety of different Industrial Control System (ICS) applications and processes. As such, these devices are often relied upon for the performance of critical process control functions in many different critical infrastructure sectors.

If an ICMP packet with an invalid IPv4 total length is sent to a Micrologix 1100 over the network, it will cause the PLC to crash and enter a fault state. This vulnerability can be triggered without authentication over a network, provided that the device is accessible over it.

Crash Information

Major Error - 0008h - Internal software error

Timeline

2020-05-03 - Vendor Disclosure
2020-07-13 - Vendor requested extension; Disclosure extension granted to end of October
2020-10-13 - Public Release

Credit

Discovered by Emanuel Almeida of Cisco Systems, Inc.