Analysis of the Rockwell Automation Programmable Logic Controller (PLC) platform revealed two dangerous vulnerabilities. Their operation allows attackers to change automation processes and potentially interrupt industrial operations, cause physical damage to factories or take other malicious actions.
Cybersecurity researchers from Claroty Team82 have discovered vulnerabilities and described them as similar to Stuxnet in nature. The similarity is that the problems allow attackers to run malicious code on the PLC without causing any obviously unusual behavior. The vulnerabilities affect 17 Rockwell PLC models and affect critical infrastructure sector organizations around the world.
One of the vulnerabilities can be exploited remotely (CVE-2022-1161), and it received a maximum score of 10 points on the CVSS scale. The vulnerability exists in the embedded PLC software running on the lines of the Rockwell ControlLogix, CompactLogix and GuardLogix control systems.
“These are the leading PLC lines in the Rockwell catalog. The devices are common in almost all industries, including the automotive industry, food and beverage production, as well as the oil and gas industry,” said Amir Preminger, Vice President of Claroty.
The vulnerability is related to the fact that the PLC stores the executable file (byte code) and the source code in different places of the PLC. This gives attackers the opportunity to change the bytecode without changing the source code. The problem arose due to the inability to control the inclusion of functions from an unreliable sphere.
The second vulnerability (CVE-2022-1159) is present in the Rockwell Studio 5000 Logix Designer software, which engineers use to program their PLCs. The software allows engineers to develop, compile and transfer newly developed logic to the company’s line of programmable logic controllers.
The vulnerability in Studio 5000 Logix Designer allows an attacker with administrative access to the workstation on which the software is running to intercept the compilation process, inject malicious code, and then execute it on the PLC without causing any warnings. Vulnerability received a score of 7.7 points on the CVSS scale.