CVE-2016-9338 in MicroLogix
Summary
by MITRE
An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/14/2020
The vulnerability identified as CVE-2016-9338 affects Rockwell Automation Allen-Bradley MicroLogix 1100 controllers, specifically models 1763-L16AWA, 1763-L16BBB, 1763-L16BWA, and 1763-L16DWD across Series A and B with firmware versions 14.000 and earlier. This issue represents a critical security flaw that stems from improper permission assignment for critical system resources, placing the entire industrial control system at risk of unauthorized administrative access. The vulnerability resides within the web server component of these controllers, which serves as the primary interface for remote configuration and monitoring activities in industrial environments.
The technical flaw manifests through an incorrect permission assignment that allows administrators to manipulate the system's user management functionality inappropriately. When an attacker with administrator privileges exploits this vulnerability, they can remove all administrative users from the system configuration, effectively locking out legitimate administrators and rendering the web server inaccessible. This specific weakness maps directly to CWE-276, which describes Incorrect Permission Assignment for Critical Resource, a well-documented vulnerability pattern that occurs when security-relevant resources are not properly protected from unauthorized access or modification. The flaw essentially creates a privilege escalation scenario where existing administrative access can be leveraged to completely eliminate administrative capabilities, forcing operators to perform factory resets to restore functionality.
The operational impact of this vulnerability extends beyond simple access control issues, as it fundamentally compromises the integrity and availability of industrial control systems. While the affected controllers can continue functioning as programmable logic controllers, the complete removal of administrative users creates a situation where normal system maintenance and configuration changes become impossible without physical intervention. This scenario is particularly dangerous in industrial settings where continuous operation is critical, as it could lead to extended downtime and potential safety hazards if system administrators cannot access the web interface to perform necessary updates or troubleshoot issues. The vulnerability also aligns with ATT&CK technique T1078 which covers Valid Accounts and T1566 which covers Phishing, as it allows for privilege escalation that could enable attackers to gain persistent access to industrial control systems.
Mitigation strategies for this vulnerability should include immediate firmware updates to versions that address the permission assignment flaw, which would typically be available through Rockwell Automation's official support channels. Organizations should implement network segmentation to isolate these controllers from general network access, limiting potential attack vectors and reducing the impact of successful exploitation. Regular security assessments and monitoring of administrative user accounts should be conducted to detect unauthorized modifications, while implementing multi-factor authentication mechanisms where possible to add additional security layers. System administrators should also establish comprehensive backup and recovery procedures that include documented steps for restoring administrative access in case of exploitation, as the factory reset requirement creates a significant operational challenge. The vulnerability demonstrates the importance of proper privilege management in industrial control systems and highlights the need for security-by-design principles in critical infrastructure components.