CVE-2016-0868
published 2016-01-28CVE-2016-0868: Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15.000 and B before 15.002 allows remote attackers to…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.62%
93.0th percentile
Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15.000 and B before 15.002 allows remote attackers to execute arbitrary code via a crafted web request.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwellautomation | 1763-l16awa_series_a | — | — |
| rockwellautomation | 1763-l16awa_series_b | — | — |
| rockwellautomation | 1763-l16bbb_series_a | — | — |
| rockwellautomation | 1763-l16bbb_series_b | — | — |
| rockwellautomation | 1763-l16bwa_series_a | — | — |
| rockwellautomation | 1763-l16bwa_series_b | — | — |
| rockwellautomation | 1763-l16dwd_series_a | — | — |
| rockwellautomation | 1763-l16dwd_series_b | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a malicious HTTP web request to the Allen-Bradley MicroLogix 1100 device's built-in web server, causing a stack-based buffer overflow. Detect anomalous or oversized HTTP requests directed at MicroLogix 1100 devices on the network. ↗
- →The MicroLogix 1100 web server is enabled by default. Identify any MicroLogix 1100 devices (models 1763-L16AWA, 1763-L16BBB, 1763-L16BWA, 1763-L16DWD) running firmware version 15.000 or prior that are reachable via HTTP — these are unpatched and exploitable. ↗
- →Monitor for unexpected outbound connections or code execution artifacts originating from MicroLogix 1100 PLCs, which may indicate successful exploitation and arbitrary code execution. ↗
- ·Series A hardware (1763-L16AWA/BBB/BWA/DWD Series A) is NOT patched by the firmware update — only Series B is addressed in firmware Version 15.002. Series A devices remain permanently vulnerable and require compensating controls. ↗
- ·No known public exploits existed at time of advisory publication, but the attacker skill required is rated low, meaning exploitation is accessible to unsophisticated threat actors. ↗
- ·The attack vector is network-accessible with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N), meaning any host that can reach the device's web server can attempt exploitation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability
cisa_ics·2018-08-23
Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability
Last RevisedAugust 23, 2018
Alert CodeICSA-16-026-02
## OVERVIEW
David Atch of CyberX has identified a stack-based buffer overflow vulnerability in Rockwell Automation’s Allen-Bradley MicroLogix 1100 programmable logic controller (PLC) systems. Rockwell Automation has produced a new firmware version to mitigate this vulnerability.
This vulnerability could be exploited remotely.
## AFFECTED PRODUCTS
The following Allen-Bradley MicroLogix 1100 controller platforms are affected:
- 1763-L16AWA, Series B, Version 15.0
GHSA
GHSA-mhq4-x2rw-f5f2: Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15
ghsa_unreviewed·2022-05-17
CVE-2016-0868 [CRITICAL] CWE-119 GHSA-mhq4-x2rw-f5f2: Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15
Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15.000 and B before 15.002 allows remote attackers to execute arbitrary code via a crafted web request.
No detection rules found.
No public exploits indexed.
2016-01-28
Published