CVE-2016-9334

Name of the Vulnerable Software and Affected Versions Rockwell Automation Allen-Bradley MicroLogix 1100 controller versions prior to 14.000 Rockwell Automation Micrologix 1400 (affected versions not specified)

Description An issue was discovered where user credentials are sent to the web server in clear text. This may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server. The vulnerability is related to the lack of protection for service data, which can be exploited by a remote attacker to obtain user credentials in unencrypted form by eavesdropping on traffic between the browser and the server.

Recommendations For Rockwell Automation Allen-Bradley MicroLogix 1100 controller versions prior to 14.000, consider disabling web server access until a patch is available to prevent clear text transmission of user credentials. For Rockwell Automation Micrologix 1400, at the moment, there is no information about a newer version that contains a fix for this vulnerability.