Vulnerabilities in Rockwell Automation PLCs could enable Stuxnet-like attacks

A security vendor’s recent analysis of Rockwell Automation’s programmable logic controller (PLC) platform has uncovered two serious vulnerabilities that give attackers a way to modify automation processes and potentially disrupt industrial operations, cause physical damage to factories, or take other malicious actions.

Researchers from Claroty Team82 discovered the vulnerabilities and this week described them as being Stuxnet-like in nature because of how they allow attackers to run malicious code on a PLC without triggering any obviously unusual behavior.

Rockwell Automation simultaneously published advisories on the two flaws for its customers. The advisories are accessible here and here, to those who have an account.

The vulnerabilities prompted an alert from the US Cybersecurity and Infrastructure Security Agency (CISA) Thursday that points organizations using the affected components to mitigation measures and a detection method for addressing the threat. The agency says the vulnerabilities impact critical infrastructure sector organizations around the world. It identifies the vulnerabilities as involving low attack complexity and one of them as being remotely exploitable.

Remotely Exploitable Vulnerability
The remotely exploitable vulnerability (CVE-2022-1161) has a maximum severity rating of 10 and is present in PLC firmware running on Rockwell’s ControlLogix, CompactLogix, and GuardLogix lines of control systems.

These are the leading lines of PLCs in Rockwell’s catalog, says Amir Preminger, vice president of research at Claroty. “These devices are common in almost all verticals including automotive, food & beverage, and oil & gas,” Preminger says. “The only industry that we can think of where we wouldn’t expect to see them is power transmission and distribution.”

Preminger says the vulnerability is tied to the fact the PLC stores the executable file — or bytecode — and the source code (aka textual code) in separate locations on the PLC. This gives attackers a way to modify the bytecode without changing the source code.

“The PLC doesn’t require the two to be compatible,” Preminger says. “When an engineer connects to a PLC, they would see the same textual code running, while the bytecode that was altered results in malicious code running without any indication of change.” Claroty identified 17 Rockwell PLC models as being affected.

CISA’s alert said the issue stemmed from a failure to control inclusion of functionality from an untrusted sphere. Its recommendations for addressing the problem are available here.

To read the complete article, visit Dark Reading.