Details of VAR-201804-0374

ID

VAR-201804-0374

CVE

CVE-2017-14463

TITLE

Allen Bradley Micrologix 1400 Series Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-013213

DESCRIPTION

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0012 Fault Type: Non-User Description: A fault state can be triggered by overwriting the ladder logic data file (type 0x22 number 0x02) with null values. The AllenBradley Micrologix 1400 SeriesBFRN is a programmable logic controller from Rockwell Automation

Trust: 2.43

sources: NVD: CVE-2017-14463 // JVNDB: JVNDB-2017-013213 // CNVD: CNVD-2018-08280 // IVD: e2ecee80-39ab-11e9-b0e1-000c29342cb1 // VULHUB: VHN-105188

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e2ecee80-39ab-11e9-b0e1-000c29342cb1 // CNVD: CNVD-2018-08280

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	micrologix 1400 b	scope:	lte	version:	21.2	Trust: 1.0
vendor:	rockwell automation	model:	micrologix 1400	scope:	lte	version:	b frn 21.2	Trust: 0.8
vendor:	rockwell	model:	automation allen bradley micrologix series b frn	scope:	eq	version:	1400<=21.2	Trust: 0.6
vendor:	rockwellautomation	model:	micrologix 1400 b	scope:	eq	version:	21.2	Trust: 0.6
vendor:	micrologix 1400 b	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2ecee80-39ab-11e9-b0e1-000c29342cb1 // CNVD: CNVD-2018-08280 // JVNDB: JVNDB-2017-013213 // CNNVD: CNNVD-201709-558 // NVD: CVE-2017-14463

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-14463
value:	CRITICAL
Trust: 1.0
talos-cna@cisco.com:	CVE-2017-14463
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-14463
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-08280
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201709-558
value:	CRITICAL
Trust: 0.6
IVD:	e2ecee80-39ab-11e9-b0e1-000c29342cb1
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-105188
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-14463
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-08280
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2ecee80-39ab-11e9-b0e1-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-105188
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-14463
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
talos-cna@cisco.com:	CVE-2017-14463
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.0
Trust: 1.0
NVD:	CVE-2017-14463
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e2ecee80-39ab-11e9-b0e1-000c29342cb1 // CNVD: CNVD-2018-08280 // VULHUB: VHN-105188 // JVNDB: JVNDB-2017-013213 // CNNVD: CNNVD-201709-558 // NVD: CVE-2017-14463 // NVD: CVE-2017-14463

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-105188 // JVNDB: JVNDB-2017-013213 // NVD: CVE-2017-14463

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-558

TYPE

Access control error

Trust: 0.8

sources: IVD: e2ecee80-39ab-11e9-b0e1-000c29342cb1 // CNNVD: CNNVD-201709-558

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-013213

PATCH

title:

MicroLogix 1400 プログラマブル・ロジック・コントローラ・システム

url:

https://ab.rockwellautomation.com/ja/Programmable-Controllers/MicroLogix-1400

Trust: 0.8

sources: JVNDB: JVNDB-2017-013213

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14463	Trust: 3.3
db:	TALOS	id:	TALOS-2017-0443	Trust: 3.1
db:	CNNVD	id:	CNNVD-201709-558	Trust: 0.9
db:	CNVD	id:	CNVD-2018-08280	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-013213	Trust: 0.8
db:	IVD	id:	E2ECEE80-39AB-11E9-B0E1-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-105188	Trust: 0.1

sources: IVD: e2ecee80-39ab-11e9-b0e1-000c29342cb1 // CNVD: CNVD-2018-08280 // VULHUB: VHN-105188 // JVNDB: JVNDB-2017-013213 // CNNVD: CNNVD-201709-558 // NVD: CVE-2017-14463

REFERENCES

url:	https://www.talosintelligence.com/vulnerability_reports/talos-2017-0443	Trust: 3.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14463	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14463	Trust: 0.8
url:	https://talosintelligence.com/vulnerability_reports/talos-2017-0443	Trust: 0.6

sources: CNVD: CNVD-2018-08280 // VULHUB: VHN-105188 // JVNDB: JVNDB-2017-013213 // CNNVD: CNNVD-201709-558 // NVD: CVE-2017-14463

SOURCES

db:	IVD	id:	e2ecee80-39ab-11e9-b0e1-000c29342cb1
db:	CNVD	id:	CNVD-2018-08280
db:	VULHUB	id:	VHN-105188
db:	JVNDB	id:	JVNDB-2017-013213
db:	CNNVD	id:	CNNVD-201709-558
db:	NVD	id:	CVE-2017-14463

LAST UPDATE DATE

2024-11-23T21:39:27.748000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-08280	date:	2018-04-25T00:00:00
db:	VULHUB	id:	VHN-105188	date:	2022-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2017-013213	date:	2018-06-06T00:00:00
db:	CNNVD	id:	CNNVD-201709-558	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2017-14463	date:	2024-11-21T03:12:50.683

SOURCES RELEASE DATE

db:	IVD	id:	e2ecee80-39ab-11e9-b0e1-000c29342cb1	date:	2018-04-25T00:00:00
db:	CNVD	id:	CNVD-2018-08280	date:	2018-04-25T00:00:00
db:	VULHUB	id:	VHN-105188	date:	2018-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-013213	date:	2018-06-06T00:00:00
db:	CNNVD	id:	CNNVD-201709-558	date:	2017-09-14T00:00:00
db:	NVD	id:	CVE-2017-14463	date:	2018-04-05T21:29:00.570