31 March 2021

Good old buffer overflow

In February CISA published an advisory on a buffer overflow vulnerability in Rockwell Automation MicroLogix 1400 programmable logic controllers (PLCs), which was reported to Rockwell Automation by Veermata Jijabai Technological Institute. The vulnerability affects all series of MicroLogix 1400 devices, Version 21.6 and below.

Rockwell Automation MicroLogix 1400 PLCs support a wide range of industrial protocols, including EtherNet/IP™, DNP3, DF-1, DH-485, Modbus RTU/ Modbus ASCII with digital and analog I/O points. The devices come with advanced capabilities such as integrated web servers and email functionality (SMTP client).

The vulnerability was assigned the CVE-2021-22659 identifier. It is rated High with a CVSS 3.0 base score of 8.1, attack vector AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H. The vulnerability requires a high skill level to exploit and there are no known public exploits for it.

The vulnerability could allow a remote unauthenticated attacker to retrieve or modify different register values on the device by sending a specially crafted Modbus packet. A successful attack can trigger a buffer overflow, which can result in the device becoming unresponsive and affect its availability. An affected device doesn’t recover automatically – the fault must be manually cleared by the user.

Suggested mitigation measures include the following:

  • Rockwell Automation recommends implementing general best practices, such as using an antimalware solution, minimizing exposure of control system devices to the internet and implementing the defense-in-depth strategy.
  • Where possible, the Modbus TCP functionality should be disabled on affected devices. Without this functionality, potential attackers can’t exploit the vulnerability.
  • Use network filtering solutions to ensure that no Modbus TCP traffic can enter the industrial network from unwanted sources.
  • Consult the product documentation for functions (such as a hardware keyswitch setting) which can prevent unauthorized changes to the product.
  • Block all traffic to EtherNet/IP™ or other CIP protocol based devices from outside the industrial network or block/restrict traffic to TCP/ UDP Port 2222 and 4418 on affected devices using network filtering equipment.

Source: CISA

  • Vyacheslav Kopeytsev

    Senior Security Researcher, Kaspersky ICS CERT