CVE-2022-2179
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
The X-Frame-Options header in Rockwell Automation MicroLogix 1100/1400 Versions 21.007 and prior is not configured in the HTTP response, which could allow clickjacking attacks.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rockwell Automation | MicroLogix 1400 | unspecified <= 21.007 | affected |
| Rockwell Automation | MicroLogix 1100 | All versions | affected |
Weaknesses
- CWE-1021: CWE-1021
Workarounds
Rockwell Automation encourages those using the affected software to implement the mitigations below to minimize risk. Additionally, Rockwell Automation encourages users to combine risk mitigations with security best practices (also provided below) to deploy a defense-in-depth strategy.
Disable the web server where possible (this component is an optional feature and disabling it will not disrupt the intended use of the device).
Configure firewalls to disallow network communication through HTTP/Port 80
If applying the mitigations noted above are not possible, please see Rockwell Automation’s Knowledgebase article QA43240 Security Best Practices.
For more information, please see the industrial security advisory from Rockwell Automation.
ADP Enrichment
CVE Program Container
Additional References
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-01
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1135994
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-01
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1135994
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.