SCADAfence Blog

Rockwell Automation PL Unauthorized Code Injection

Written by Lali Hadar | Apr 6, 2022 5:17:52 PM

Two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software have been disclosed. These vulnerabilities give attackers a way to modify automation processes and potentially disrupt industrial operations, cause physical damage to factories, and perform other malicious actions.

  • CVE-2022-1161 - this vulnerability affects several versions of Rockwell’s Logix Controllers and has a CVSS score of 10. It is a remote code execution vulnerability which lies within affected PLC firmware running on ControlLogix, CompactLogix, and GuardLogix control systems. It allows attackers to write user-readable program code to a separate memory location from the executed compiled code, allowing the attacker to modify one and not the other without the user's knowledge.
  • CVE-2022-1159 - this vulnerability affects several versions of its Studio 5000 Logix Designer application and allows an attacker to alter code as it is being compiled without the user's knowledge. This vulnerability has a CVSS score of 7.7. To successfully exploit this vulnerability, an attacker must first gain administrator access to the affected application, and then intercept the compilation process and inject code into the user program. The user may be unaware that this modification has taken place.

The impact from exploiting these vulnerabilities is essentially the same: they allow attackers to change the logic flow in a PLC to trigger new commands being set to the physical devices that are being controlled by the system

SCADAfence Detects These Vulnerabilities

The SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets. 

Furthermore, the platform detects start, restart, and stop commands sent to PLCs in the network, as well as remote mode change commands which are needed steps to alter programs in Rockwell’s Logix Controllers.

The disclosed CVEs are currently under NIST-NVD analysis - when the analysis is done they will be added to the SCADAfence CVE database to help detect devices that are potentially vulnerable.

Recommendations

Vendor Recommendations

Rockwell developed a Compare tool that can detect hidden code running on a PLC:

  • Logix Designer application Compare Tool V9 or later, installed with Studio 5000 Logix Designer
  • FactoryTalk AssetCentre V12 or later (available fall 2022)

CISA released the following mitigations:

  • Implement CIP Security to help prevent unauthorized connections.
  • Use the Controller Log feature to track interactions that occurred in the controller.
  • Use Change Detection in the Logix Designer application to monitor events for changes.

SCADAfence recommends

SCADAfence recommends  taking the following measures to minimize the risk of exploitation:

  • Limit Network Exposure – minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Monitor Network Traffic - monitor access to the production segments. In the SCADAfence Platform, create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
  • Monitor User Activity – in the SCADAfence Platform, monitor access to the affected devices and track user activity using the User Activity View.
  • Connect to SCADAfence Cloud – connect the SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.
  • Increase Severity of Alerts - in the SCADAfence Platform, increase severity of alerts per the below recommendations.

Affected Products

[CVE-2022-1161]: Modification of PLC Program Code

  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers

[CVE-2022-1159]: Modification of PLC Program Code

  • Studio 5000 Logix Designer application v28 and later
  • ControlLogix® 5580 controllers
  • GuardLogix® 5580 controllers
  • CompactLogix™ 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers