Vulnerability Description
An Information Exposure issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. User credentials are sent to the web server using the HTTP GET method, which may result in the credentials being logged. This could make user credentials available for unauthorized retrieval.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rockwellautomation | 1763-L16Awa Series A | <= 16.000 |
| Rockwellautomation | 1763-L16Awa Series B | <= 16.000 |
| Rockwellautomation | 1763-L16Bbb Series A | <= 16.000 |
| Rockwellautomation | 1763-L16Bbb Series B | <= 16.000 |
| Rockwellautomation | 1763-L16Bwa Series A | <= 16.000 |
| Rockwellautomation | 1763-L16Bwa Series B | <= 16.000 |
| Rockwellautomation | 1763-L16Dwd Series A | <= 16.000 |
| Rockwellautomation | 1763-L16Dwd Series B | <= 16.000 |
| Rockwellautomation | Ab Micrologix Controller | 1100 |
| Rockwellautomation | 1766-L32Awa Series A | <= 16.000 |
| Rockwellautomation | 1766-L32Awa Series B | <= 16.000 |
| Rockwellautomation | 1766-L32Awaa Series A | <= 16.000 |
| Rockwellautomation | 1766-L32Awaa Series B | <= 16.000 |
| Rockwellautomation | 1766-L32Bwa Series A | <= 16.000 |
| Rockwellautomation | 1766-L32Bwa Series B | <= 16.000 |
| Rockwellautomation | 1766-L32Bwaa Series A | <= 16.000 |
| Rockwellautomation | 1766-L32Bwaa Series B | <= 16.000 |
| Rockwellautomation | 1766-L32Bxb Series A | <= 16.000 |
| Rockwellautomation | 1766-L32Bxb Series B | <= 16.000 |
| Rockwellautomation | 1766-L32Bxba Series A | <= 16.000 |
Related Weaknesses (CWE)
References
- http://www.securitytracker.com/id/1038546
- https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04PatchThird Party AdvisoryUS Government Resource
- http://www.securitytracker.com/id/1038546
- https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04PatchThird Party AdvisoryUS Government Resource
FAQ
What is CVE-2017-7899?
CVE-2017-7899 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An Information Exposure issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16...
How severe is CVE-2017-7899?
CVE-2017-7899 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-7899?
Check the references section above for vendor advisories and patch information. Affected products include: Rockwellautomation 1763-L16Awa Series A, Rockwellautomation 1763-L16Awa Series B, Rockwellautomation 1763-L16Bbb Series A, Rockwellautomation 1763-L16Bbb Series B, Rockwellautomation 1763-L16Bwa Series A.