CVE-2021-32926 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2021-32926?

CVE-2021-32926 has a CVSS score of 7.5 (HIGH). This vulnerability allows an authenticated attacker to intercept password change requests and replace the legitimate password hash with their own, locking legitimate users out of affected Rockwell Automation controllers. It affects Micro800 controllers (all versions) and MicroLogix 1400 controllers (version 21 and later).

📋 TL;DR

This vulnerability allows an authenticated attacker to intercept password change requests and replace the legitimate password hash with their own, locking legitimate users out of affected Rockwell Automation controllers. It affects Micro800 controllers (all versions) and MicroLogix 1400 controllers (version 21 and later).

💻 Affected Systems

Products:

Rockwell Automation Micro800
Rockwell Automation MicroLogix 1400

Versions: Micro800: All versions, MicroLogix 1400: Version 21 and later

Operating Systems: Embedded controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires network access to controller and valid authentication credentials to exploit.

📦 What is this software?

Micro800 Firmware by Rockwellautomation

View all CVEs affecting Micro800 Firmware →

Micrologix 1400 Firmware by Rockwellautomation

View all CVEs affecting Micrologix 1400 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical industrial control systems become inaccessible to legitimate operators, potentially disrupting manufacturing processes or safety systems.

🟠

Likely Case

Targeted denial-of-service attacks against specific users or administrators, causing operational disruptions.

🟢

If Mitigated

Minimal impact with proper network segmentation and authentication controls limiting attacker access.

🌐 Internet-Facing: HIGH if controllers are directly internet-accessible, as authenticated attackers could exploit remotely.

🏢 Internal Only: MEDIUM as attackers need network access and valid credentials, but insider threats or compromised accounts could exploit.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires intercepting network traffic during password change operations and modifying the hash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Rockwell Automation security advisory for specific firmware updates

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02

Restart Required: Yes

Instructions:

1. Review Rockwell Automation security advisory. 2. Download appropriate firmware updates. 3. Apply updates following vendor procedures. 4. Restart controllers as required.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected controllers in separate network segments with strict access controls.

Encrypted Communications

all

Use encrypted protocols (like CIP Security) for all controller communications.

🧯 If You Can't Patch

Implement strict network access controls to limit who can communicate with controllers
Monitor for unusual password change activity and implement multi-factor authentication where possible

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version against affected versions list in advisory.

Check Version:

Use Rockwell Automation programming software (like Connected Components Workbench) to read controller firmware version.

Verify Fix Applied:

Confirm firmware version has been updated to non-vulnerable version.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by password change requests
Unusual source IP addresses accessing controller authentication functions

Network Indicators:

Unencrypted password change traffic on network
Man-in-the-middle activity between controllers and management stations

SIEM Query:

source_ip IN (controller_ips) AND (event_type="authentication" OR event_type="password_change") AND result="failure"

📊 Metadata

CVE ID: CVE-2021-32926

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-300

Published: June 3, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32926, you might also want to check these: