CVE-2017-14464

Name of the Vulnerable Software and Affected Versions: Allen Bradley Micrologix 1400 Series B versions 21.2 and before

Description: An exploitable access control issue exists in the data, program, and function file permissions functionality. A specially crafted packet can cause a read or write operation, resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this issue. The required Keyswitch State is REMOTE or PROG, and a fault state can be triggered by setting the NVRAM/memory module user program mismatch bit when a memory module is not installed.

Recommendations: For versions 21.2 and before, consider restricting access to the device when the Keyswitch State is set to REMOTE or PROG to minimize the risk of exploitation. As a temporary workaround, avoid using the device with a memory module not installed, as this can trigger a fault state. At the moment, there is no information about a newer version that contains a fix for this issue.