Skip to content

Vulnerability Report: Rockwell PLC Unauthorized Code Injection [CVE-2022-1161, CVE-2022-1159]

Two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software have been disclosed. These vulnerabilities give attackers a way to modify automation processes and potentially disrupt industrial operations, cause physical damage to factories, and perform other malicious actions.
  • CVE-2022-1161 – this vulnerability affects several versions of Rockwell’s Logix Controllers and has a CVSS score of 10. It is a remote code execution vulnerability which lies within affected PLC firmware running on ControlLogix, CompactLogix, and GuardLogix control systems. It allows attackers to write user-readable program code to a separate memory location from the executed compiled code, allowing the attacker to modify one and not the other without the user’s knowledge.
  • CVE-2022-1159 – this vulnerability affects several versions of its Studio 5000 Logix Designer application and allows an attacker to alter code as it is being compiled without the user’s knowledge. This vulnerability has a CVSS score of 7.7. To successfully exploit this vulnerability, an attacker must first gain administrator access to the affected application, and then intercept the compilation process and inject code into the user program. The user may be unaware that this modification has taken place.
The impact from exploiting these vulnerabilities is essentially the same: they allow attackers to change the logic flow in a PLC to trigger new commands being set to the physical devices that are being controlled by the system.

SCADAfence Detects These Vulnerabilities

The SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets. Furthermore, the platform detects start, restart, and stop commands sent to PLCs in the network, as well as remote mode change commands which are needed steps to alter programs in Rockwell’s Logix Controllers. The disclosed CVEs are currently under NIST-NVD analysis – when the analysis is done they will be added to the SCADAfence CVE database to help detect devices that are potentially vulnerable.

Recommendations

Vendor Recommendations Rockwell developed a Compare tool that can detect hidden code running on a PLC:
  • Logix Designer application Compare Tool V9 or later, installed with Studio 5000 Logix Designer
  • FactoryTalk AssetCentre V12 or later (available fall 2022)
CISA released the following mitigations:
  • Implement CIP Security to help prevent unauthorized connections.
  • Use the Controller Log feature to track interactions that occurred in the controller.
  • Use Change Detection in the Logix Designer application to monitor events for changes.

SCADAfence recommends

SCADAfence recommends  taking the following measures to minimize the risk of exploitation:
  • Limit Network Exposure – minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Monitor Network Traffic – monitor access to the production segments. In the SCADAfence Platform, create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
  • Monitor User Activity – in the SCADAfence Platform, monitor access to the affected devices and track user activity using the User Activity View.
  • Connect to SCADAfence Cloud – connect the SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.
  • Increase Severity of Alerts – in the SCADAfence Platform, increase severity of alerts per the below recommendations.
Affected Products [CVE-2022-1161]: Modification of PLC Program Code
  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers
[CVE-2022-1159]: Modification of PLC Program Code
  • Studio 5000 Logix Designer application v28 and later
  • ControlLogix® 5580 controllers
  • GuardLogix® 5580 controllers
  • CompactLogix™ 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

×

Hello!

Click one of our contacts below to chat on WhatsApp

×