CVE-2017-7924
published 2017-09-20CVE-2017-7924: An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A…
PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
22.18%
97.4th percentile
An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:established,to_server; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:2; metadata:created_at 2019_02_18, cve CVE_2017_7924, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2024_03_07, reviewed_at 2024_05_06;)
bytes
|4b 02 20 67 24 01|
bytes
|a2| ... |05 47|
- →Detect the crafted PCCC DoS packet on TCP port 44818 (EtherNet/IP) by matching the three-part byte sequence: |4b 02 20 67 24 01|, followed immediately by |a2|, then |05 47| within 2 bytes — all in an established inbound TCP flow.
- →A single specially crafted PCCC packet is sufficient to trigger the DoS; detection should fire on the first matching packet rather than requiring a session pattern. ↗
- →Monitor and restrict inbound traffic on Port 2222/TCP and UDP and Port 44818/TCP and UDP at the perimeter; unexpected external sources reaching these ports targeting MicroLogix 1100 devices are high-confidence attack indicators. ↗
- →The Metasploit auxiliary module auxiliary/dos/scada/allen_bradley_pccc implements this exploit; presence of this module's traffic pattern or its use in a pentest/red-team context should be flagged.
- ·The Snort/ET rule targets TCP port 44818 only; the vulnerability also applies over UDP 44818 and TCP/UDP 2222 (EtherNet/IP / CIP), so the rule does not provide full coverage across all transport variants. ↗
- ·The ET rule is classified with 'confidence Medium', meaning the byte pattern may produce false positives in environments with high volumes of legitimate EtherNet/IP traffic; tune accordingly.
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ch2w-m37v-83fq: An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L
ghsa_unreviewed·2022-05-13
CVE-2017-7924 [HIGH] CWE-20 GHSA-ch2w-m37v-83fq: An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L
An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.
CISA ICS
Rockwell Automation MicroLogix 1100 Controllers
cisa_ics·2017-07-18
Rockwell Automation MicroLogix 1100 Controllers
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation MicroLogix 1100 Controllers
Last RevisedJuly 18, 2017
Alert CodeICSA-17-138-03
## CVSS v3 7.5
Vendor: Rockwell Automation
Equipment: MicroLogix 1100 Controllers
Vulnerability: Improper Input Validation
## REPOSTED INFORMATION
This advisory was originally posted to the NCCIC Portal on May 18, 2017, and is being released to the NCCIC/ICS-CERT web site.
## AFFECTED PRODUCTS
The following versions of MicroLogix 1100 controllers are affected:
- 1763-L16BWA,
- 1763-L16AWA,
- 1763-L16BBB, and
- 1763-L16DWD.
## IMPACT
Successful exploitation of this vulne
Suricata
ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)
suricata·2019-02-18·CVSS 7.5
CVE-2017-7924 [HIGH] ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)
ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:established,to_server; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:2; metadata:created_at 2019_02_18, cve CVE_2017_7924, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2024_03_07, reviewed_at 2024_05_06;)
No writeups or analysis indexed.
2017-09-20
Published