CVE-2017-14462

Vulnerability

A missing access control vulnerability exists in the file permissions of Allen Bradley MicroLogix 1400 Series B with FRN 21.2 and earlier (tested versions include 21.2, 21.0, and 15) [1]. The device fails to authenticate or authorize requests to read or write certain data, program, and function files. An attacker can leverage CIP encapsulated PCCC commands (function codes 0xa1, 0xa2 for reads, 0xa7, 0xa9, 0xaa, 0xab for writes) to interact with these files without authentication [1]. The required keyswitch state is REMOTE or PROG (also RUN for some operations) [1]. This specific issue (CVE-2017-14462) allows enabling SNMP, Modbus, DNP, and other channel features, as well as changing network parameters like IP address, name server, and domain name [1].

Exploitation

An attacker with network access to the PLC sends specially crafted, unauthenticated PCCC packets encapsulated in CIP [1]. No prior authentication or user interaction is required. The keyswitch must be in REMOTE or PROG position (RUN also works for certain operations) [1]. By targeting the appropriate file and using write function codes (0xa7, 0xa9, 0xaa, 0xab), the attacker modifies channel configuration and network settings [1].

Impact

Successful exploitation allows an attacker to alter critical network configuration and enable or disable communication protocols on the PLC [1]. This can lead to disclosure of sensitive information (e.g., reading network parameters), denial of service by misconfiguring the device, or facilitate further attacks by opening additional attack surfaces (e.g., enabling insecure protocols) [1]. The CVSSv3 score is 10.0, indicating the highest severity due to network-based, unauthenticated access with no user interaction and potential for full compromise of confidentiality, integrity, and availability [1].

Mitigation

Rockwell Automation (Allen Bradley) has not released a patch for the MicroLogix 1400 Series B, as these devices have reached end-of-life (EOL) status [1]. No firmware update is available. Mitigation strategies include network segmentation, restricting access to the PLC via firewalls, using VPNs, and monitoring for unauthorized PCCC commands [1]. Operators should consider migrating to supported products. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.