Strengthening OT Security against CVE-2018-17924 with MetaDefender
OT Solutions

A PLC (Programmable Logic Controller) is an industrial computer designed to automate processes by controlling machinery and other industrial operations. It works in harsh environments and is programmed to perform specific tasks based on sensor input. Rockwell Automation's MicroLogix 1400 Controller is a compact and modular PLC commonly used in small to medium-sized applications. Known for its cost-effectiveness and flexibility, it supports various communication protocols and offers digital and analog I/O options for interfacing with devices.

1. Exploited over a network
2. Easy to execute, no special privileges and user interaction required
3. Has a severe impact on the availability of the system

An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify system settings and cause a loss of communication between the device and the system.

Critical manufacturing, food and agriculture, transportation system, Water and wastewater systems

In the dynamic landscape of OT cybersecurity, understanding Common Vulnerabilities and Exposures (CVEs)
is crucial. CVEs are standardized identifiers assigned to known vulnerabilities, providing a common language
for organizations and security practitioners to discuss, share, and address security concerns. These are documented to ensure all security personnel are aware of them and can take remediation measures as necessary to prevent attacks into their systems.

Each CVE includes a unique identifier, a brief description of the vulnerability, and important information regarding its severity and potential impact.

The focus of the OPSWAT’s Fellowship Program was CVE-2018-17924, a vulnerability affecting Rockwell Automation MicroLogix 1400 Controllers. What makes this CVE particularly dangerous is its accessibility and the severe impact it can have on industrial systems.

CVE-2018-17924 is exploitable remotely with a low skill level requirement. This makes it a potent weapon in
the hands of attackers with basic knowledge, significantly increasing the potential threat landscape. The ease of execution, coupled with the ability to impact systems without requiring special privileges or user interaction, sets this CVE apart in terms of its danger.

To showcase the real-world implications of CVE-2018-17924, the OPSWAT Fellowship team meticulously recreated the scenario. Divided into phases, the project emphasized the simplicity of the exploit, highlighting the lack of special privileges or user interaction needed and the ensuing impact on system availability.

OPSWAT's MetaDefender OT Security, plays a pivotal role in mitigating the risks associated with CVE-2018-17924. Its capabilities extend beyond traditional security measures, offering a comprehensive view into the industrial environments. With its asset visibility feature the MetaDefender OT Security identifies vulnerabilities and potential attacks, providing a critical layer of defense against exploits like the one described in the CVE.

OPSWAT's MetaDefender Industrial Firewall complements MetaDefender OT Security by adding an additional layer of defense against attacks. This solution specifically targets the detection and prevention of potential exploits in critical industrial systems. It does so by isolating the system networks and then preventing the attack from impacting any of the assets/systems on the network.