This vulnerability was discovered by Patrick DeSantis.

In addition to the default, documented SNMP community string of ‘public’ (read) and ‘private’ (read/write), an undocumented community string of ‘wheel’ (read/write) also exists, which enables attackers to make unauthorized device changes, such as modification of settings or conducting malicious firmware updates. It is possible that this community string allows access to other OIDs, however Talos tested specific use cases.

Versions Tested
Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controller Systems versions 7 - 15.004.

Historically, attacks against SNMPv1 and SNMPv2c services have relied on the exploitation of production use of default community strings or have required an attacker to sniff network communications between two devices using SNMP in order to obtain the community string values required to launch further attacks against devices.

While it is possible for operators to change the default SNMP community strings on affected devices, the fact that this SNMP string is not documented by the vendor drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence. Given the severity of this issue, and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments. Some recommendations for mitigation are listed here.

TALOS-2016-0184 is detected by SIDs 39876 and 39877.

For full details regarding this vulnerability, please see the advisory here.