The specter of Stuxnet: CISA warns of Rockwell Automation ICS vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about serious vulnerabilities affecting Rockwell Automation controllers.

Rockwell Automation provides industrial digital and automation solutions, including digital twin solutions, engineering products and hardware for optimizing the factory floor.

ZDNet recommends:

The best security key

The best security key

While robust passwords help keep your valuable online accounts secure, hardware two-factor authentication takes that security to the next level.

read more

On March 31, CISA alerted customers to two recent advisory, “ICSA-22-090-05: Rockwell Automation Logix Controllers” and “ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer,” which identify serious vulnerabilities in the controller. described. Products.

The first advisory describes CVE-2022-1161, a vulnerability assigned a CVSS severity rating of 10.0, the highest possible. The bug affects a range of CompactLogix, Compact GuardLogix, ControlLogix, FlexLogix, DriveLogix, and SoftLogix controllers.

According to the advisory, the vulnerability can be activated remotely with low attack complexity.

Successful exploitation of this vulnerability could allow an attacker to modify user programs. “A user could then unknowingly download those modified elements that contain malicious code.”

The second bug, tracked as CVE-2022-1159 and giving a CVSS “high” severity score of 7.7, affects Studio 5000 Logix Designer in ControlLogix, GuardLogix, and Compact GuardLogix controllers.

This vulnerability requires an attacker to first protect administrative access on a workstation running Studio 5000 Logix Designer, but if they achieve this, they could inject controller code that is “undetectable by a user”.

The vulnerabilities were reported by Claroty cybersecurity researchers Sharon Brizinov and Tal Keren.

Claroty has compared exploiting these vulnerabilities to Stuxnet, as unobtrusive code could work without a technician being aware of any manipulation.

“Successful covert exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming and investment-intensive attacks,” the team said. “The authors of Stuxnet set the playbook for hacking PLCs by figuring out how to hide malicious bytecode running on a PLC while the engineer programming the controller sees nothing but normality on their engineering workstation. forensic tools cannot detect the execution of such malicious code.”

Rockwell has published opinions (1,2) on the vulnerabilities with steps towards mitigation.

Earlier this week, the US agency added 66 more vulnerabilities to its list of known exploited vulnerabilities for federal agencies to fix. The bugs currently in active use in the wild include problems in network kits, security devices, and browsers.

In February, CISA published an online guide with free incident response guidelines and resources. The service also includes tips for organizations looking to reduce their risk exposure.

Also see

Do you have a tip? Safe contact via WhatsApp | Signal on +447713 025 499, or via Keybase: charlie0

Leave a Comment