CISA, Claroty warn of two vulnerabilities affecting industrial Rockwell products
Image: Viktor Vasicsek, The Record
Jonathan Greig April 1, 2022

CISA, Claroty warn of two vulnerabilities affecting industrial Rockwell products

CISA, Claroty warn of two vulnerabilities affecting industrial Rockwell products

CISA on Thursday released two Industrial Controls Systems Advisories detailing vulnerabilities in Rockwell Automation products that could allow a threat actor to inject malicious code on an affected system. 

The advisories came alongside a report from security firm Claroty detailing CVE-2022-1161 and CVE-2022-1159, which carry CVSS scores of 10 and 7.7 respectively. A CVSS score of 10 is the highest possible, and indicates a critical level of severity.

Claroty’s Team 82 security unit said Rockwell’s Logix programmable logic controllers (PLCs) are common in almost all industrial markets, including food and beverage, automotive, and oil and gas. 

The vulnerability affects firmware found in numerous Logix products, including CompactLogix, GuardLogix, Compact GuardLogix, and ControlLogix PLCs.

The company called the vulnerabilities “Stuxnet-type threats” referencing the malicious worm used to target the PLCs and supervisory control and data acquisition (SCADA) systems of Iran’s nuclear facilities

“An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility,” they said. 

According to Claroty, CVE-2022-1161 and CVE-2022-1159 expose Rockwell’s Logix Controllers and Logix Designer applications to attacks that can modify automation processes, allowing the attacker to fully damage systems without the user ever knowing. 

“The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC,” Claroty explained. 

“Changes to the logic flow or predefined local variables will alter a PLC’s normal operation and can result in new commands being sent to physical devices, such as belts and valves controlled by the PLC.”

They shared a proof-of-concept where, in a real-life situation, exploitation “could potentially cause great damage to the automation process (e.g. tags that control the speed of an engine).”

‘No direct mitigation’

CISA added in its own advisory that successful exploitation of this vulnerability may allow an attacker to download a modified program to the controller. 

“There is no direct mitigation for this vulnerability in the Logix Designer application. However, a detection method is available to determine if the user program residing in the controller is identical to what was downloaded,” CISA said of CVE-2022-1159. 

“No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.”

For CVE-2022-1161, CISA provided a range of mitigations users should implement for the range of affected products.

Claroty noted that successful stealthy exploits of PLCs are among the “rarest, most time-consuming, and investment-heavy attacks.” 

Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation, the researchers explained.

Without advanced forensics utilities, according to Claroty, the execution of such malicious code cannot be discovered. 

BluBracket’s Pan Kamal said the attack described is very similar to the Log4Shell methodology of hiding code inside ladder logic that gets loaded into the PLCs – hidden in plain sight. 

“Similar to Log4J, where malware is disguised as log content, or potentially code commented out, malware in the Claroty example is hidden inside the PLC configuration files as part of the code,” Kamal said. “It is distinct and separate enough to execute by itself. Most humans would not know what they would visually be looking at by parsing the code.”

The CISA release comes days after the agency partnered with the Department of Energy to warn of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. 

UPS devices can typically be found in hospitals, industrial facilities, server rooms and data centers.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.