CVE-2017-7902
📋 TL;DR
This vulnerability allows attackers to capture and replay encrypted communications on Rockwell Automation Allen-Bradley MicroLogix PLCs due to nonce reuse in encryption. Attackers can potentially execute unauthorized commands by replaying valid requests. Affected are MicroLogix 1100 and 1400 programmable logic controllers running vulnerable firmware versions.
💻 Affected Systems
- Rockwell Automation Allen-Bradley MicroLogix 1100 (1763-L16AWA, 1763-L16BBB, 1763-L16BWA, 1763-L16DWD)
- Rockwell Automation Allen-Bradley MicroLogix 1400 (1766-L32AWA, 1766-L32BWA, 1766-L32BWAA, 1766-L32BXB, 1766-L32BXBA, 1766-L32AWAA)
📦 What is this software?
1763 L16awa Series A by Rockwellautomation
1763 L16awa Series B by Rockwellautomation
1763 L16bbb Series A by Rockwellautomation
1763 L16bbb Series B by Rockwellautomation
1763 L16bwa Series A by Rockwellautomation
1763 L16bwa Series B by Rockwellautomation
1763 L16dwd Series A by Rockwellautomation
1763 L16dwd Series B by Rockwellautomation
1766 L32awa Series A by Rockwellautomation
1766 L32awa Series B by Rockwellautomation
1766 L32awaa Series A by Rockwellautomation
1766 L32awaa Series B by Rockwellautomation
1766 L32bwa Series A by Rockwellautomation
1766 L32bwa Series B by Rockwellautomation
1766 L32bwaa Series A by Rockwellautomation
1766 L32bwaa Series B by Rockwellautomation
1766 L32bxb Series A by Rockwellautomation
1766 L32bxb Series B by Rockwellautomation
1766 L32bxba Series A by Rockwellautomation
1766 L32bxba Series B by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems allowing unauthorized command execution, process manipulation, equipment damage, or safety system bypass
Likely Case
Unauthorized command replay leading to process disruption, data manipulation, or denial of service in industrial environments
If Mitigated
Limited impact with proper network segmentation and monitoring, but replay attacks still possible within segmented zones
🎯 Exploit Status
Exploitation requires network access to capture traffic but no authentication. The vulnerability is in cryptographic implementation making replay attacks straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 16.00 with patches or later versions
Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
Restart Required: Yes
Instructions:
1. Download firmware update from Rockwell Automation website. 2. Backup current configuration. 3. Apply firmware update via programming software. 4. Restart PLC. 5. Verify firmware version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected PLCs in separate network segments with strict firewall rules
Encryption Layer
allImplement additional encryption layer (VPN/IPsec) for PLC communications
🧯 If You Can't Patch
- Implement strict network segmentation and access controls to limit who can communicate with PLCs
- Deploy network monitoring and intrusion detection specifically for replay attack patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version via programming software or web interface. If version is 16.00 or earlier, system is vulnerable.Check Version:
Use Rockwell Automation programming software (RSLogix 500) to read controller properties and check firmware versionVerify Fix Applied:
Verify firmware version is updated beyond vulnerable versions and test communication encryption behavior📡 Detection & Monitoring
Log Indicators:
- Repeated identical encrypted packets
- Unexpected command sequences
- PLC accepting commands from unusual sources
Network Indicators:
- Identical encrypted payloads at different times
- Suspicious timing of command packets
- Traffic patterns suggesting replay attacks
SIEM Query:
source_ip=PLC_IP AND (packet_size=identical_value AND time_difference<expected) OR (command_sequence=repeated_pattern)