CVSS assigns severity score of 10.0 to Rockwell controller vulnerability

"Tracking PLC components to fix the problem will be hard," said one commentator

Security researchers have discovered a major vulnerability in programmable logic controllers (PLCs) from Rockwell Automation, which could enable attackers to remotely connect to and perform unauthorised activities on certain devices.

Security researchers from Claroty, Kaspersky Lab, and South Korea's Soonchunhyang University's Lab of Information Systems Security Assurance all independently uncovered the flaw, indexed as CVE-2021-22681. The US Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell also published advisories on the topic this week.

According to US-CERT, the flaw can be exploited remotely by attackers with a low skill level. Therefore, it has received a CVSS score of 10.0, the highest possible on the CVSS vulnerability scale.

The vulnerability affects Studio 5000 Logix Designer (formerly RSLogix 5000), as well as more than a dozen Logix controllers from Rockwell.

Claroty researchers say the flaw exists in a mechanism used to verify communication between engineering stations and Rockwell Automation PLCs.

If exploited, the bug could enable an unauthenticated remote attacker to discover a secret cryptographic key, bypass verification mechanisms and eventually connect with Logix controllers. Additionally, an unauthorised third-party tool could modify the controller's configuration and/or application code.

'An attacker with this key could mimic a workstation and therefore be able to manipulate configurations or code running on the PLC (upload/download logic), and directly impact a manufacturing process,' the researchers said.

The following controllers are affected:

• Rockwell's Studio 5000 Logix Designer (versions 21 and later)
• RSLogix 5000 (versions 16-20)
• Rockwell Logix Controllers (CompactLogix 1768, 1769, 5370, 5380, 5480 and ControlLogix 5550, 5560, 5570, 5580)
• Drive Logix (5560, 5730, 1794-L34)
• Compact GuardLogix (5370 and 5380)
• GuardLogix (5570 and 5580)
• SoftLogix 5800

At the moment, Rockwell Automation has not issued a patch to directly address the issues stemming from the cryptographic key.

Instead, the firm is advising admins to apply specific mitigation measures to reduce the risk. These include setting the controller to 'Run' mode, and deploying CIP Security - a secure communication mechanism for IP/EtherNet networks - to prevent unauthorised connections.

More generic mitigation measures include employing proper network segmentation, and additional security controls such as isolating devices from other networks.

The company also shared information for admins to detect malicious changes on their machines.

"This issue is a serious one for companies that have invested in Rockwell," said Paul Baird, chief technical security officer UK at Qualys.

"The consequences for the vulnerability themselves could be massive, as it offers the ability to rewrite code on PLCs or install new firmware. With these PLCs being so common across multiple industries, and with controllers varying from small and simple implementations through to larger control system deployments, the risks are hugely variable. An attacker could destroy expensive industrial assets, risk lives for those at plants, or simply use these PLCs as a staging point to get access to the IT network.

"Tracking PLC components to fix the problem will be hard, as many organisations don't have full asset lists that are accurate and up to date that are shared with the IT security team. It is hard enough to enforce security and updates when IT teams track endpoints that are continuously connected to IP networks, but these assets can be implemented without the necessary management and asset control side in place and they may not be on the same networks. Getting a full picture of every operational technology asset with PLCs included is therefore going to take time for many teams."