CVE-2016-9338

An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller.

CVSS v3 2.7 LOW
CVSS v2.0 4.0 MEDIUM

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector : AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/95302	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/95302	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rockwellautomation:1763-l16awa_series_a::::::::
	cpe:2.3:a:rockwellautomation:1763-l16awa_series_b::::::::
	cpe:2.3:a:rockwellautomation:1763-l16bbb_series_a::::::::
	cpe:2.3:a:rockwellautomation:1763-l16bbb_series_b::::::::
	cpe:2.3:a:rockwellautomation:1763-l16bwa_series_a::::::::
	cpe:2.3:a:rockwellautomation:1763-l16bwa_series_b::::::::
	cpe:2.3:a:rockwellautomation:1763-l16dwd_series_a::::::::
	cpe:2.3:a:rockwellautomation:1763-l16dwd_series_b::::::::
	cpe:2.3:a:rockwellautomation:1766-l32awa_series_a::::::::
	cpe:2.3:a:rockwellautomation:1766-l32awa_series_b::::::::
	cpe:2.3:a:rockwellautomation:1766-l32awaa_series_a::::::::
	cpe:2.3:a:rockwellautomation:1766-l32awaa_series_b::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bwa_series_a::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bwa_series_b::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bwaa_series_a::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bwaa_series_b::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bxb_series_a::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bxb_series_b::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bxba_series_a::::::::
	cpe:2.3:a:rockwellautomation:1766-l32bxba_series_b::::::::

History

21 Nov 2024, 03:00

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/95302 - VDB Entry, Third Party Advisory~~	() http://www.securityfocus.com/bid/95302 - Third Party Advisory, VDB Entry
References	~~() https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06 - Third Party Advisory, US Government Resource~~	() https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06 - Third Party Advisory, US Government Resource

Information

Published : 2017-02-13 21:59

Updated : 2025-04-20 01:37

NVD link : CVE-2016-9338

Mitre link : CVE-2016-9338

CVE.ORG link : CVE-2016-9338

JSON object : View

Products Affected

rockwellautomation

1766-l32awa_series_a
1766-l32bwa_series_a
1766-l32bwa_series_b
1766-l32bxb_series_a
1766-l32bxb_series_b
1763-l16awa_series_b
1763-l16bbb_series_b
1766-l32bxba_series_a
1763-l16dwd_series_b
1763-l16bbb_series_a
1763-l16bwa_series_b
1766-l32awaa_series_b
1766-l32awa_series_b
1766-l32bwaa_series_a
1763-l16awa_series_a
1763-l16dwd_series_a
1766-l32bxba_series_b
1766-l32awaa_series_a
1763-l16bwa_series_a
1766-l32bwaa_series_b

CWE

NVD-CWE-Other

{"id": "CVE-2016-9338", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2017-02-13T21:59:01.627", "references": [{"url": "http://www.securityfocus.com/bid/95302", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.securityfocus.com/bid/95302", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-06", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller."}, {"lang": "es", "value": "Ha sido descubierto un problema en controlador Rockwell Automation Allen-Bradley MicroLogix 1100, 1763-L16AWA, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores; 1763-L16BBB, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores; 1763-L16BWA, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores; y 1763-L16DWD, Serie A y B, Versi\u00f3n 14.000 y versiones anteriores. Debido a una asignaci\u00f3n de permisos incorrecta para recursos cr\u00edticos, los usuarios con privilegios de administrador pueden eliminar todos los usuarios administrativos requiri\u00e9ndose un restablecimiento de f\u00e1brica para restaurar la funci\u00f3n del servidor web auxiliar. La explotaci\u00f3n de esta vulnerabilidad seguir\u00e1 permitiendo que el dispositivo afectado funcione en su capacidad como controlador."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:1763-l16awa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7434A56-A11C-4362-A806-ECC05EF81EDC", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16awa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E55698D3-601A-48E4-AD5A-C42AA32A02DC", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bbb_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FBC09CC-AD8C-4412-90B0-1E798B56C4F7", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bbb_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58265FCD-55B4-4E9C-8A02-9702B8ED5E4C", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bwa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A719DAFD-8BA2-4E56-AC78-60C2D9FCBAA0", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16bwa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "530BB796-C178-49C1-ADF7-7B34E9FD6ED8", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16dwd_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6D6A13D-69AC-431B-9E12-BDB6523BB49D", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1763-l16dwd_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D38291EC-779A-461C-971B-09A52C2FB668", "versionEndIncluding": "14.000"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44A021E4-B93B-4AA0-B7E7-A69F86666D24", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCE93E4A-C845-4B29-B09E-DA5EC4F22EC2", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awaa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE5F717B-487B-473F-BD50-0DE76CAFD6B7", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32awaa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEB0FCA4-C3D7-46CC-9D4A-C7FE8B7D25C4", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55708721-9FAF-4778-95AE-C51FAF42E234", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E6A9C27-E079-43CD-A348-C257AD1B2C9B", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwaa_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2830F25-7489-4B96-8750-8E187BA155A8", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bwaa_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "391B81A5-A3BB-44FD-9849-2D9FC0A004EE", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxb_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AACFCF1B-5FD4-451E-94F9-FFE6CA3427DB", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxb_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31BCB97C-9F7C-47C7-832E-2EAA7B841CA2", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxba_series_a:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93282079-80A2-4CDF-9EF8-D9EEBAC1D238", "versionEndIncluding": "15.004"}, {"criteria": "cpe:2.3:a:rockwellautomation:1766-l32bxba_series_b:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4F5D81D-62BA-4655-8FB1-43BC0FF3288B", "versionEndIncluding": "15.004"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/732.html\">CWE-732: Incorrect Permission Assignment for Critical Resource</a>", "sourceIdentifier": "ics-cert@hq.dhs.gov"}

2.7 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2016-9338

2.7^/10

4.0^/10

Attach tags to `CVE-2016-9338`