Team82 finds that vulnerabilities in Rockwell PLCs could trigger Stuxnet-like attacks

Claroty’s research arm Team82 and Rockwell Automation disclosed on Thursday details about two vulnerabilities in Rockwell programmable logic controllers (PLCs) and engineering workstation software, deployed globally across multiple critical infrastructure sectors. The modified code could be downloaded to a PLC, while the engineer at the workstation would likely see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.

Out of the two vulnerabilities, the first one, CVE-2022-1161 affects numerous versions of Rockwell’s Logix controllers and has a CVSS score of 10, the highest criticality. The second CVE-2022-1159 vulnerability affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7 representing high severity. Rockwell has provided users with a tool that detects such hidden code, and organizations are urged to upgrade affected products to leverage these detection capabilities.

The Cybersecurity and Infrastructure Security agency (CISA) released two Industrial Controls Systems Advisories (ICSAs) detailing vulnerabilities in Rockwell Automation products. “An attacker could exploit these vulnerabilities to inject code on affected systems,” the agency said on Thursday.

Sharon Brizinov, ​​a Claroty researcher, said that successful stealthy exploits of PLCs are among the rarest, most time-consuming, and investment-heavy attacks. “Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation,” Brizinov wrote in a company blog post. “Without advanced forensics utilities, the execution of such malicious code cannot be discovered,” he added.

Conceptually, exploitation is the same in previous research: decouple the bytecode and textual code, modify one, and not the other, Claroty said. For example, in the Rogue7 attack on Siemens SIMATIC S7 PLCs, researchers were able to modify the textual code while transferring malicious bytecode to the PLC. 

Team82 researchers decided to test for these Stuxnet-type of attacks on the Rockwell Automation PLC platform. “Our research uncovered two vulnerabilities that expose the company’s Logix Controllers and Logix Designer application for engineering workstations to attacks that allow threat actors to stealthily modify automation processes,” Brizinov added.

Programmable logic and predefined variables drive these processes, and changes to either will alter normal operation of the PLC and the process it manages, according to Brizinov. “An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility,” he added.

The 2010 Stuxnet attack made headlines as one of the largest and most successful industrial cyber-attacks in history, prompting industrial organizations to take a hard look at the security of their operations.

Claroty investigated Rockwell’s engineering workstation, Studio 5000 Logix Designer, and the mechanics of its download logic procedure. The New York-based firm uncovered “two vulnerabilities that allowed us to decouple textual code from binary code and transfer it to the PLC, while modifying one and not the other.” Brizinov added.

The first vulnerability was found within affected PLC firmware running on ControlLogix, CompactLogix, and GuardLogix control systems, Claroty said. “It allows attackers to write user-readable program code to a separate memory location from the executed compiled code, allowing the attacker to modify one and not the other. To do so, an attacker could use a hardcoded secret key vulnerability in Logix controllers previously disclosed by Team82 to communicate with Rockwell Automation PLCs and modify user programs without using Studio 5000 Logix Designer software,” the firm added.

The research team revealed that the second vulnerability was found within the Studio 5000 Logix Designer application that compiles the user program on the workstation. “This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place,” the post added.

Brizinov also pointed out that the end result of exploiting both vulnerabilities is the same. “The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC,” he added. 

Changes to the logic flow or predefined local variables will alter a PLCs normal operation and can result in new commands being sent to physical devices, such as belts and valves controlled by the PLC, Brizinov wrote. “Programmable logic drives automation processes, and that logic performs operations on variable input coming from physical connections and process-specific, predefined local variables. The logic and variables vary between different PLCs and each has specific roles in a process,” he added.

Team82 worked closely with Rockwell Automation engineers to understand the root cause of these attacks. As a result, Rockwell engineers came up with sophisticated solutions to detect hidden code running on their PLCs by analyzing and comparing the textual code and the binary code running on the PLC. If a mismatch is detected, the tool will alert a difference between the two, indicating that the hidden code is running on the PLC, the post added.

Airbus researchers had in March 2020 carried out similar research and attacks on Schneider Electric PLCs and modified native bytecode being transferred to the PLC. 

“Implementing Stuxnet type attacks on PLC’s from other manufacturers is possible. In the case of the Modicon M340, this porting is easier because the PLC executes ARM bytecode natively (and not proprietary assembly code),” Flavian Dola, an Airbus vulnerability researcher, wrote at the time in a blog post.

“This exercise gives us the opportunity to extend M340 functionality by developing automation code directly in C. Now we can perform low level actions which are very difficult to do with other languages (e.g Ladder, Grafcet),” Dola added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.