The Specter of Stuxnet: CISA Issues Alert on Rockwell Automation ICS Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about serious vulnerabilities affecting Rockwell Automation controllers.

Rockwell Automation provides industrial automation and digital solutions, including digital twin solutions, engineered products and plant optimization hardware.

On March 31, CISA notified its customers of two recent advisories, “ICSA-22-090-05: Rockwell Automation Logix Controllers” and “ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer”, which detail the vulnerabilities serious in products controllers.

The first advisory describes CVE-2022-1161, a vulnerability that is assigned a CVSS severity score of 10.0, the highest possible. The bug affects a range of CompactLogix, Compact GuardLogix, ControlLogix, FlexLogix, DriveLogix, and SoftLogix controllers.

According to the advisory, the vulnerability can be triggered remotely with low attack complexity.

Successful exploitation of this vulnerability could allow an attacker to modify user programs. “A user could then unknowingly download these modified items containing malicious code.”

The second bug, tracked as CVE-2022-1159 and issued a “high” CVSS severity score of 7.7, affects Studio 5000 Logix Designer in ControlLogix, GuardLogix, and Compact GuardLogix controllers.

This vulnerability requires an attacker to first secure administrator access on a workstation running Studio 5000 Logix Designer, but if successful, they can inject “undetectable to a user” controller code.

The vulnerabilities were reported by Claroty cybersecurity researchers Sharon Brizinov and Tal Keren.

Claroty likened exploiting these security issues to Stuxnet, because stealth code could work without an engineer being aware of any tampering.

“Successful stealth exploits of Programmable Logic Controllers (PLCs) are among the rarest, most time-consuming, and most investment-intensive attacks,” the team commented. “The authors of Stuxnet have set the API hacking playbook by figuring out how to hide malicious bytecode running on an API while the engineer programming the controller only sees normalcy on their engineering workstation. Without advanced utilities of forensics, the execution of such malicious code cannot be discovered.”

Rockwell has released advisories (1.2) on the vulnerabilities with steps towards mitigation.

Earlier this week, the US agency added 66 additional vulnerabilities to the catalog of known exploited vulnerabilities that federal agencies are tasked with patching. Bugs, currently being actively exploited in the wild, include issues with network kit, security appliances, and browsers.

In February, CISA released an online guide with free incident response tips and tools. The service also includes guidance for organizations looking to reduce their risk exposure.

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Leave a Comment