CVE Vulnerabilities

CVE-2020-6990

Use of Hard-coded Cryptographic Key

Published: Mar 16, 2020 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
10 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

Weakness

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Affected Software

Name Vendor Start Version End Version
Micrologix_1400_a_firmware Rockwellautomation * *
Micrologix_1400_b_firmware Rockwellautomation * 21.001 (including)

Potential Mitigations

References