CVE-2017-14473

Vulnerability

The vulnerability exists in the data, program, and function file permissions of Allen Bradley MicroLogix 1400 Series B FRN 21.2 and before. The PLC does not enforce proper access control on numerous files, allowing unauthenticated users to read or write them using CIP encapsulated PCCC commands with function codes 0xa1, 0xa2 (read) and 0xa7, 0xa9, 0xaa, 0xab (write) [1]. This specific CVE (CVE-2017-14473) targets reading the encoded ladder logic from its data file and outputting it in HEX [1]. Affected versions include FRN 21.2, 21.0, and 15 [1].

Exploitation

An attacker can send unauthenticated packets over the network to the PLC without any prior authentication or keyswitch state requirement (any keyswitch state is acceptable) [1]. The attacker crafts a CIP encapsulated PCCC command using the appropriate read function code (0xa1 or 0xa2) to target the ladder logic data file. No user interaction or special privileges are needed; the attack is remotely exploitable over the network [1].

Impact

Successful exploitation allows an attacker to read the encoded ladder logic, which may contain sensitive intellectual property or operational logic. Additionally, the broader access control flaw enables modification of settings, ladder logic, or triggering device faults, potentially leading to full compromise of the PLC's operation [1]. The CVSSv3 score is 10.0, indicating critical severity with high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2018-04-05), no patch or firmware update was available from Rockwell Automation to address this vulnerability [1]. Users should apply network segmentation and restrict access to the PLC to trusted hosts only. Monitor Talos and Rockwell advisories for future updates. The product may be end-of-life; consult vendor support.