CVE-2017-14472

Name of the Vulnerable Software and Affected Versions: Allen Bradley Micrologix 1400 Series B FRN versions 21.2 and before

Description: The issue allows for an exploitable access control vulnerability in the data, program, and function file permissions functionality. This can be triggered by a specially crafted packet, resulting in the disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to exploit this issue. The vulnerability can be triggered by requesting a specific set of bytes from an undocumented data file, which returns the ASCII version of the master password.

Recommendations: For Allen Bradley Micrologix 1400 Series B FRN versions 21.2 and before, consider restricting access to the undocumented data file to minimize the risk of exploitation. As a temporary workaround, limit the ability to send unauthenticated packets to the device until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.