Critical Bugs in Rockwell, Johnson Controls ICS Gear
A set of critical vulnerabilities in Rockwell Automation gear was discovered recently, and the bugs affect MicroLogix 1400 Controllers as well as MicroLogix 1100 Controllers and RSLogix 500 Software. The vulnerabilities are known to require very little skill to exploit and have been discovered in both Rockwell Automation and Johnson Controls, impacting both of the companies’ industrial control systems infrastructure.
Using these vulnerabilities, an attacker could gain access to sensitive project file information, including passwords. The bugs are rated 9.8 on a scale of 10 on the CVSS v3 severity scale. The rating is due to the fact that the bugs utilize hard-coded cryptographic keys, which is the use of a broken or risky algorithm for password protection, use of client-side authentication and cleartext storage of sensitive information.