/>
X

The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities

The flaws can be exploited to execute code on vulnerable controllers and workstations.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on severe vulnerabilities impacting Rockwell Automation controllers.

Rockwell Automation provides industrial digital and automation solutions, including digital twin solutions, engineering products, and factory floor optimization hardware.

On March 31, CISA pointed customers to two recent advisories, "ICSA-22-090-05: Rockwell Automation Logix Controllers" and "ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer," which detail severe vulnerabilities in controller products.

The first advisory describes CVE-2022-1161, a vulnerability assigned a CVSS severity score of 10.0, the highest possible. The bug impacts a range of CompactLogix, Compact GuardLogix, ControlLogix, FlexLogix, DriveLogix, and SoftLogix controllers.

According to the advisory, the vulnerability can be triggered remotely with low attack complexity.

"Successful exploitation of this vulnerability may allow an attacker to modify user programs," the US agency says. "A user could then unknowingly download those modified elements containing malicious code."

The second bug, tracked as CVE-2022-1159 and issued a CVSS 'high' severity score of 7.7, impacts Studio 5000 Logix Designer in ControlLogix, GuardLogix, and Compact GuardLogix controllers.

This vulnerability requires an attacker to secure administrator access on a workstation running Studio 5000 Logix Designer first, but if they achieve this, they can inject controller code "undetectable to a user."

The vulnerabilities were reported by Claroty cybersecurity researchers Sharon Brizinov and Tal Keren.

Claroty has compared the exploitation of these security issues to Stuxnet, as stealthy code could be operating without an engineer being aware of any tampering.

"Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks," the team commented. "Stuxnet's authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered."

Rockwell has published advisories (1,2) on the vulnerabilities with steps toward mitigation. 

Earlier this week, the US agency added a further 66 vulnerabilities to the Known Exploited Vulnerabilities Catalog federal agencies are instructed to remediate. The bugs currently under active exploitation in the wild include issues in networking kits, security appliances, and browsers.

In February, CISA published an online guide containing free guidance and tools on incident response. The service also includes tips for organizations looking to reduce their risk exposure. 

See also


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

CISA warns over software flaws in industrial control systems
getty-hacker-hands-on-a-keyboard.jpg

CISA warns over software flaws in industrial control systems

Security
NSA, CISA say: Don't block PowerShell, here's what to do instead
Worried businessman looking at computer screen at his workplace in office

NSA, CISA say: Don't block PowerShell, here's what to do instead

Security
Cancer therapies depend on dizzying amounts of data: Here's how it's getting sorted in the cloud
kicking-cancer-with-technology

Cancer therapies depend on dizzying amounts of data: Here's how it's getting sorted in the cloud

Health