A deeply critical (CVSS 10) security vulnerability in widely deployed industrial software produced by Rockwell Automation lets a remote attacker connect to almost any of the company’s Logix programmable logic controllers (PLCs), and upload malicious code, download information from the PLC, or install new firmware.
The bug has been known by security researchers since at least 2019 and has been independently reported to the vendor by Claroty, Kaspersky, and a team at South Korea's Soonchunhyang University. That's according to an ICS advisory from US agency CISA on February 25, which notes that "no known public exploits specifically target this vulnerability" (offensive security researchers around the world: "Hold my beer...").
The tools affected are used to control devices, pieces of machinery or even entire manufacturing plants in Operational Technology (OT)/industrial environments and the easy-to-abuse vulnerability is a stark reminder of how much work there is to do on OT security. (Rockwell is reminding users to "ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible..."
Thousands of businesses are likely exposed. A quick look on Shodan reveals PLCs from the US to Taiwan, Australia to Belgium facing the internet.
Rockwell Automation vulnerability: What's affected?
The bug appears to be the result of hard-coded credentials. As Claroty puts it: "[the] software may allow a secret cryptographic key to be discovered. This key is used to verify communication between Rockwell Logix controllers and their engineering stations. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass this verification mechanism and connect to Logix controllers.")
CISA cites the following products as affected:
- RSLogix 5000: Versions 16 through 20
- Studio 5000 Logix Designer: Versions 21 and later
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
Rockwell Automation recommends a number of specific mitigations including putting the controller’s mode switch to “Run” mode and deploying CIP Security for Logix Designer connections. CIP Security prevents unauthorized connections when deployed properly.
Paul Baird, Chief Technical Security Officer UK at Qualys (previously global head of cybersecurity operations at Jaguar Land Rover) noted: "The consequences for the vulnerability themselves could be massive, as it offers the ability to rewrite code on PLCs or install new firmware. With these PLCs being so common across multiple industries, and with controllers varying from small and simple implementations through to larger control system deployments, the risks are hugely variable. An attacker could destroy expensive industrial assets, risk lives for those at plants, or simply use these PLCs as a staging point to get access to the IT network.
He added: "Tracking PLC components to fix the problem will be hard, as many organisations don’t have full asset lists that are accurate and up to date that are shared with the IT security team. It is hard enough to enforce security and updates when IT teams track endpoints that are continuously connected to IP networks, but these assets can be implemented without the necessary management and asset control side in place and they may not be on the same networks. Getting a full picture of every operational technology asset with PLCs included is therefore going to take time for many teams."