Headline
CVE-2020-6111: TALOS-2020-1057 || Cisco Talos Intelligence Group
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and Series B FRN 10.000. A specially crafted packet can cause a major error, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Summary
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and Series B FRN 10.000. A specially crafted packet can cause a major error, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Tested Versions
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 10.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 11.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 12.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 13.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 14.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 15.000
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 15.002
Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000
Product URLs
https://ab.rockwellautomation.com/Programmable-Controllers/MicroLogix-1100
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-189 - Numeric Errors
Details
Rockwell Automation Allen-Bradley MicroLogix 1100 Programmable Logic Controllers (PLCs) are marketed for use in a variety of different Industrial Control System (ICS) applications and processes. As such, these devices are often relied upon for the performance of critical process control functions in many different critical infrastructure sectors.
If an ICMP packet with an invalid IPv4 total length is sent to a Micrologix 1100 over the network, it will cause the PLC to crash and enter a fault state. This vulnerability can be triggered without authentication over a network, provided that the device is accessible over it.
Crash Information
Major Error - 0008h - Internal software error
Timeline
2020-05-03 - Vendor Disclosure
2020-07-13 - Vendor requested extension; Disclosure extension granted to end of October
2020-10-13 - Public Release
Discovered by Emanuel Almeida of Cisco Systems, Inc.