CVE-2017-7898

high-risk
Published 2017-06-30

An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. There are no penalties for repeatedly entering incorrect passwords.

Do I need to act?

~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

1763-L16Awa Series A
1763-L16Bbb Series A
1763-L16Bbb Series B
1766-L32Awaa Series A
1766-L32Bwa Series B
1766-L32Bwaa Series A
1766-L32Bwaa Series B
1766-L32Bxba Series A
1763-L16Awa Series B
1763-L16Bwa Series A
1763-L16Bwa Series B
1763-L16Dwd Series A
1763-L16Dwd Series B
1766-L32Awa Series A
1766-L32Awa Series B
1766-L32Awaa Series B
1766-L32Bwa Series A
1766-L32Bxb Series A
1766-L32Bxb Series B
1766-L32Bxba Series B

Affected Vendors

Rockwellautomation

References (4)

http://www.securitytracker.com/id/1038546
Patch https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
http://www.securitytracker.com/id/1038546
Patch https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04
55
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 20/34 · Moderate