CVE-2017-14470

Name of the Vulnerable Software and Affected Versions: Allen Bradley Micrologix 1400 Series B FRN versions 21.2 and before

Description: An access control issue exists in the data, program, and function file permissions functionality. This allows a specially crafted packet to perform read or write operations, potentially disclosing sensitive information, modifying settings, or altering ladder logic. An attacker can exploit this without authentication by sending specific packets. The issue is triggered when a float value is set to 0xffffffff, considered as NaN, and used in the PLC, resulting in a fault.

Recommendations: For Allen Bradley Micrologix 1400 Series B FRN versions 21.2 and before, consider restricting access to the device when it is in REMOTE, PROG, or RUN Keyswitch State to minimize the risk of exploitation. As a temporary workaround, avoid using float values set to 0xffffffff in the PLC until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.