CVE-2017-14463

Name of the Vulnerable Software and Affected Versions: Allen Bradley Micrologix 1400 Series B versions 21.2 and before

Description: An exploitable access control issue exists in the data, program, and function file permissions functionality. A specially crafted packet can cause a read or write operation, resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this issue. The required Keyswitch State is REMOTE or PROG, and the Associated Fault Code is 0012, which is a Non-User fault type. A fault state can be triggered by overwriting the ladder logic data file with null values.

Recommendations: For versions 21.2 and before, consider restricting access to the device when the Keyswitch State is set to REMOTE or PROG to minimize the risk of exploitation. As a temporary workaround, avoid using the device in these states until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.