The research team at industrial cybersecurity company Claroty have found the presence of a severe vulnerability that affects communications between Rockwell Automation programmable logic controllers (PLCs) and engineering stations. Exploiting the flaw enables an attacker to remotely connect to almost any of the company’s Logix PLCs, and upload malicious code, download information from the PLC, or install new firmware.
The vulnerability lies in the fact that Studio 5000 Logix Designer software may allow a secret cryptographic key to be discovered, Claroty revealed in a blog post on Thursday. This key is used to verify communications between Rockwell Logix controllers and their engineering stations.
“An attacker with this key could mimic a workstation and therefore be able to manipulate configurations or code running on the PLC (upload/download logic), and directly impact a manufacturing process,” wrote Sharon Brizinov, one of the researchers, who detected the existence of the vulnerability in the process used to verify communications between Rockwell PLCs and engineering stations.
Deployed globally across multiple critical infrastructure sectors, such as energy, water and manufacturing, Rockwell’s Studio 5000 Logix Designer, RSLogix 5000 and other Logix Controllers can allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers, the Cybersecurity and Infrastructure Agency (CISA) said in an advisory on Thursday. Additionally, the loophole could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.
Claroty provided a list of affected versions that include Rockwell’s Studio 5000 Logix Designer (versions 21 and later) and RSLogix 5000 (versions 16-20), in addition to Rockwell Logix Controllers (CompactLogix 1768, 1769, 5370, 5380, 5480, 5550, 5560, 5570, 5580), Drive Logix (5560, 5730, 1794-L34), Compact GuardLogix (5370 and 5380), GuardLogix (5570 and 5580), and SoftLogix 5800.
Claroty had privately disclosed the flaw to Rockwell in 2019. Researchers from South Korea’s Soonchunhyang University’s Lab of Information Systems Security Assurance, and Kaspersky Lab, were also credited by ICS-CERT as having independently discovered the vulnerability. A CVSS v3 base score of 10.0 has been calculated for the vulnerability.
Earlier this week, exploitation of a security vulnerability through use of password hash without much computational effort was found in Rockwell’s FactoryTalk Services versions 6.10.00 and 6.11.00. Assigned a CVSS v3 base score of 10.0, the loophole could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console. It also could allow an attacker to modify or delete configuration and application data in other FactoryTalk software connected to the FactoryTalk Services Platform.
Claroty earlier revealed this month a 25 percent rise for the second half of 2020 in industrial control system (ICS) vulnerabilities compared to 2019, with over 70 percent of flaws remotely exploitable through network attack vectors. It also recorded a 33 percent rise in ICS loopholes from the first half of last year.
Rockwell has advised its users to place the controller’s mode switch to “run” mode and deploy CIP Security for Logix Designer connections, as CIP Security prevents unauthorized connections when deployed properly. It also recommended generic mitigations to blunt the effects of this vulnerability, such as control systems placed behind firewalls and isolated from other networks whenever feasible. Secure remote access is also suggested; at a minimum, using a VPN to connect to a device.