Talos recently discovered a vulnerability in Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controllers (PLCs) related to the default configuration that is shipped with devices running affected versions of firmware. This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.
In addition to the default, documented SNMP community string of ‘public’ (read) and ‘private’ (read/write), an undocumented community string of ‘wheel’ (read/write) also exists, which enables attackers to make unauthorized device changes, such as modification of settings or conducting malicious firmware updates. It is possible that this community string allows access to other OIDs, however Talos tested specific use cases.
Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controller Systems versions 7 - 15.004.
Historically, attacks against SNMPv1 and SNMPv2c services have relied on the exploitation of production use of default community strings or have required an attacker to sniff network communications between two devices using SNMP in order to obtain the community string values required to launch further attacks against devices.
While it is possible for operators to change the default SNMP community strings on affected devices, the fact that this SNMP string is not documented by the vendor drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence. Given the severity of this issue, and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments. Some recommendations for mitigation are listed here.
TALOS-2016-0184 is detected by SIDs 39876 and 39877.
For full details regarding this vulnerability, please see the advisory here.