Vulnerabilities in Rockwell Automation Logix Controllers

Published on 04 Apr 2022

Updated on 04 Apr 2022

Security researchers have discovered two vulnerabilities in Rockwell Automation Logix Controllers, CVE-2022-1161 and CVE-2022-1159. Successful exploitation of these vulnerabilities may allow an attacker to modify user programs. A user could then unknowingly download/execute those modified elements containing malicious code.

CVE-2022-1161
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems.

CVE-2022-1159
An attacker with administrator access to a workstation running Studio 5000 Logix Designer can intercept the compilation process and inject malicious code into the user program, without the user's knowledge.

Affected Products for CVE-2022-1161

  • 1768 CompactLogixTM controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllersCompact
  • GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers 
  • ControlLogix 5560 controllers 
  • ControlLogix 5570 controllers 
  • ControlLogix 5580 controllers 
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers 
  • GuardLogix 5580 controllers
  • FlexLogixTM 1794-L34 controllers 
  • DriveLogixTM5730 controllers
  • SoftLogixTM 5800 controllers

Affected Products for CVE-2022-1159

  • ControlLogix 5580 controllers
  • GuardLogix 5580 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers


Mitigation Measures for CVE-2022-1161

  • Users are recommended to recompile and download user program code (i.e., acd)
  • Set the controller mode switch into "Run" position

If keeping controller mode switch in “Run” is impractical, users are encouraged to apply the following mitigations:

  • Recompile and download user program code (i.e., acd)
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Utilise the Controller Log feature
  • Utilise Change Detection in the Logix Designer Application
  • If available, use the functionality in FactoryTalk AssetCenter software to detect changes

In addition, the following mitigation should be applied for ControlLogix 5560, ControlLogix 5570, ControlLogix 5580 series, GuardLogix 5570, GuardLogix 5580, GuardLogix 5380, CompactLogix, CompactLogix 5380 devices. 

Implement Common Industrial Protocol (CIP) Security to help prevent unauthorised connections when properly deployed. Supported controllers and communications modules include:

  • ControlLogix 5580 processors using on-board EtherNet/IP port
  • GuardLogix 5580 processors using on-board EtherNet/IP port
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP module
  • If using a 1756-EN2T, then replace it with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP portCompactLogix GuardLogix 5380 using on-board EtherNet/IP port

Users are recommended to take defensive measures to minimise the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimise network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), and ensure that it is updated to the most current version available.

Detection Measures for CVE-2022-1159

As there is no direct mitigation for this vulnerability, users can determine if the user program residing in the controller is identical to what was downloaded by utilising the Logix Designer application Compare Tool v9 or later. This user program comparison must be performed on an uncompromised workstation. Before running the Compare Tool, users are encouraged to upgrade to:

  • Studio 5000 v34 software or later
  • Corresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware\
  • One of the following compare tools
    • Logix Designer application Compare Tool v9 or later – installed with Studio 5000 Logix Designer


If a mismatch is detected, the tool will alert the difference between the two programs, indicating that the hidden code is running on the controller. As this is an indication of a compromise, users should contact Rockwell for technical assistance to clean up the device.

 

More information is available here:
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-05
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07
https://www.zdnet.com/article/cisa-issues-alert-on-critical-ics-vulnerabilities-in-rockwell-systems/