External risk intelligence

Allen-Bradley MicroLogix Remote Code Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2015-6490

A buffer overflow vulnerability affects Rockwell Automation MicroLogix 1100 and 1400 devices, allowing remote attackers to execute arbitrary code. This could disrupt industrial operations and pose a risk to business continuity.

2Halo Surface Signal

Memory Corruption

Rockwellautomation Micrologix 1100 Firmware

14.000 and earlier15.002 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2015-6490

The affected devices are industrial programmable logic controllers (PLCs). While they possess network connectivity, these devices are typically deployed within isolated industrial control system (ICS) networks and are not intended for direct exposure to the public internet.

PCI scan relevance

PCI Relevance for CVE-2015-6490

Yes

CVE-2015-6490 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is relevant for PCI scans due to its critical severity and potential for remote code execution. It affects Rockwell Automation MicroLogix 1100 and 1400 devices, which could be used in environments handling cardholder data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Rockwell Automation MicroLogix devices. It allows attackers to execute arbitrary code on the affected systems. This could lead to unauthorized control or disruption of industrial processes.

  • Rockwell Automation MicroLogix devices
  • Stack-based buffer overflow vulnerability
  • Arbitrary code execution

Attack Path

How an attacker could exploit the issue

This vulnerability could allow an attacker to execute arbitrary code on vulnerable industrial control devices. The attack involves exploiting a stack-based buffer overflow. Successful exploitation could lead to unauthorized code execution, potentially disrupting operations or allowing further compromise of the industrial environment.

  • Remote attackers access devices.
  • Unspecified vectors trigger overflow.
  • Attacker gains arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its potential for remote code execution on industrial control devices. Attackers with a high level of skill could exploit this weakness without needing prior access to the network. The compromise of these systems could lead to operational disruptions and potential safety concerns.

  • Likely attacker skill level: High
  • Required access or conditions: Remote, no authentication
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Rockwell Automation MicroLogix devices could allow for remote code execution. Organizations using these devices should take immediate steps to identify and protect their systems. The attack vector is network-based, indicating a potential for external compromise if not properly secured.

  • Find affected assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What are Allen-Bradley MicroLogix devices and their function in industrial settings?

Allen-Bradley MicroLogix devices are programmable logic controllers (PLCs) developed by Rockwell Automation. They are integral to automating and controlling industrial processes within manufacturing and critical infrastructure, ensuring operational efficiency and reliability.

What type of weakness does CVE-2015-6490 represent and how does it function?

CVE-2015-6490 is characterized by a stack-based buffer overflow vulnerability. This occurs when an attacker sends more data to a program than it can manage, potentially overwriting critical memory sections and enabling the execution of malicious code.

How can an attacker exploit the CVE-2015-6490 vulnerability on MicroLogix devices?

Remote attackers can exploit CVE-2015-6490 by triggering a stack-based buffer overflow on affected Allen-Bradley MicroLogix 1100 and 1400 devices through unspecified network vectors, allowing for arbitrary code execution.

What is the relevance of CVE-2015-6490 given the nature of Allen-Bradley MicroLogix devices?

While affected devices are industrial PLCs, typically within isolated networks, the remote nature of this vulnerability means exploitation is possible if these devices have network connectivity. Halo Surface Signal rates the likelihood of exploitation as 'Unlikely' due to the usual segmentation of such systems.

What practical steps should organizations take to respond to the CVE-2015-6490 vulnerability?

Organizations should identify all affected Allen-Bradley MicroLogix assets, reduce their external exposure by isolating them from untrusted networks, and implement a robust patching or mitigation strategy. Continuous monitoring after remediation is also advised.

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified