CVE-2022-2179

Summary

The X-Frame-Options header in Rockwell Automation MicroLogix 1100/1400 Versions 21.007 and prior is not configured in the HTTP response, which could allow clickjacking attacks.

Affected Software

VendorProductVersion RangeStatus
Rockwell AutomationMicroLogix 1400unspecified <= 21.007affected
Rockwell AutomationMicroLogix 1100All versionsaffected

Weaknesses

  • CWE-1021: CWE-1021

Workarounds

Rockwell Automation encourages those using the affected software to implement the mitigations below to minimize risk. Additionally, Rockwell Automation encourages users to combine risk mitigations with security best practices (also provided below) to deploy a defense-in-depth strategy.

Disable the web server where possible (this component is an optional feature and disabling it will not disrupt the intended use of the device).
Configure firewalls to disallow network communication through HTTP/Port 80

If applying the mitigations noted above are not possible, please see Rockwell Automation’s Knowledgebase article QA43240 Security Best Practices.

For more information, please see the industrial security advisory from Rockwell Automation.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References