The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities

The flaws can be exploited to execute code on vulnerable controllers and workstations.
Written by Charlie Osborne, Contributing Writer

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on severe vulnerabilities impacting Rockwell Automation controllers.

Rockwell Automation provides industrial digital and automation solutions, including digital twin solutions, engineering products, and factory floor optimization hardware.

On March 31, CISA pointed customers to two recent advisories, "ICSA-22-090-05: Rockwell Automation Logix Controllers" and "ICSA-22-090-07: Rockwell Automation Studio 5000 Logix Designer," which detail severe vulnerabilities in controller products.

The first advisory describes CVE-2022-1161, a vulnerability assigned a CVSS severity score of 10.0, the highest possible. The bug impacts a range of CompactLogix, Compact GuardLogix, ControlLogix, FlexLogix, DriveLogix, and SoftLogix controllers.

According to the advisory, the vulnerability can be triggered remotely with low attack complexity.

"Successful exploitation of this vulnerability may allow an attacker to modify user programs," the US agency says. "A user could then unknowingly download those modified elements containing malicious code."

The second bug, tracked as CVE-2022-1159 and issued a CVSS 'high' severity score of 7.7, impacts Studio 5000 Logix Designer in ControlLogix, GuardLogix, and Compact GuardLogix controllers.

This vulnerability requires an attacker to secure administrator access on a workstation running Studio 5000 Logix Designer first, but if they achieve this, they can inject controller code "undetectable to a user."

The vulnerabilities were reported by Claroty cybersecurity researchers Sharon Brizinov and Tal Keren.

Claroty has compared the exploitation of these security issues to Stuxnet, as stealthy code could be operating without an engineer being aware of any tampering.

"Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks," the team commented. "Stuxnet's authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered."

Rockwell has published advisories (1,2) on the vulnerabilities with steps toward mitigation. 

Earlier this week, the US agency added a further 66 vulnerabilities to the Known Exploited Vulnerabilities Catalog federal agencies are instructed to remediate. The bugs currently under active exploitation in the wild include issues in networking kits, security appliances, and browsers.

In February, CISA published an online guide containing free guidance and tools on incident response. The service also includes tips for organizations looking to reduce their risk exposure. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards