Team82 and Rockwell Automation today disclosed some details about two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software.
CVE-2022-1161 affects numerous versions of Rockwell's Logix Controllers and has a CVSS score of 10, the highest criticality.
CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity.
Modified code could be downloaded to a PLC, while an engineer at their workstation would see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.
Rockwell has provided users with a tool that detects such hidden code.
Users are urged to upgrade affected products to leverage these detection capabilities.
CISA has published an advisory warning users about the severity of these issues.
Rockwell Automation has also published advisories here and here.
Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks. Stuxnet's authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered.
Conceptually, exploitation is the same in previous research: decouple the bytecode and textual code, modify one, and not the other. For example, in the Rogue7 attack on Siemens SIMATIC S7 PLCs, researchers were able to modify the textual code while transferring malicious bytecode to the PLC. Airbus Researchers carried out similar research and attacks on Schneider Electric PLCs and modified native bytecode being transferred to the PLC.
Team82 decided to test for these Stuxnet-type of attacks on the Rockwell Automation PLC platform. Our research uncovered two vulnerabilities that expose the company's Logix Controllers and Logix Designer application for engineering workstations to attacks that allow threat actors to stealthily modify automation processes.
Programmable logic and predefined variables drive these processes, and changes to either will alter normal operation of the PLC and the process it manages. An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility.
Rockwell Automation today disclosed these vulnerabilities and has developed a tool that detects differences in binary and textual code. By using this tool, hidden code can be detected.
At its core, an engineering workstation is a fully working integrated development environment (IDE) and compiler for PLC programs. From a high-level perspective, the process of executing logic on the PLC is comprised of four main steps, illustrated below:
Develop: The engineer will use the IDE capabilities of the engineering workstation to develop a new PLC program in one of the main automation programming language, such as Ladder Diagram (LD), Structured Text (ST), Function Block Diagram (FBD), and others. This code is known as textual code.
Compile: Once developed, the engineer will want to transfer the new logic to the controller. To achieve this, the engineering workstation will compile the program to a PLC-compatible bytecode depending on the firmware and architecture of the target PLC. This code is referred to as binary code.
Transfer: Next, the engineering workstation will communicate with the PLC over its proprietary protocol and transfer the compiled bytecode. This process is often called a download procedure, download logic, or download configuration. The download terminology refers to the viewpoint of the PLC in this process (the PLC downloads the code).
Execute: Once the bytecode has been delivered successfully to the PLC, the logic will be executed.
In our research of Rockwell Automation's engineering workstation, Studio 5000 Logix Designer, and the mechanics of its download logic procedure, we uncovered two vulnerabilities that allowed us to decouple textual code from binary code and transfer it to the PLC, while modifying one and not the other.
The first vulnerability, CVE-2022-1161 (CVSS v3.1 Base Score: 10.0/CRITICAL), was found within affected PLC firmware running on ControlLogix, CompactLogix, and GuardLogix control systems. It allows attackers to write user-readable program code to a separate memory location from the executed compiled code, allowing the attacker to modify one and not the other. To do so, an attacker could use a hardcoded secret key vulnerability in Logix Controllers previously disclosed by Team82 to communicate with Rockwell Automation PLCs and modify user programs without using Studio 5000 Logix Designer software.
The second vulnerability, CVE-2022-1159, was found within the Studio 5000 Logix Designer application that compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.
The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC.
Changes to the logic flow or predefined local variables will alter a PLC's normal operation and can result in new commands being sent to physical devices, such as belts and valves controlled by the PLC.
Programmable logic drives automation processes, and that logic performs operations on variable input coming from physical connections and process-specific, predefined local variables. The logic and variables vary between different PLCs and each has specific roles in a process.
For example, in our proof-of-concept, we modified the binary code to stealthily modify certain automation process variables (also known as tags) to different values. In a real-life situation, these changed values could potentially cause great damage to the automation process (e.g. tags that control the speed of an engine).
Team82 worked closely with Rockwell Automation engineers to understand the root cause of these attacks. As a result, Rockwell engineers came up with sophisticated solutions to detect hidden code running on their PLCs by analyzing and comparing the textual code and the binary code running on the PLC. If a mismatch is detected, the tool will alert a difference between the two, indicating that the hidden code is running on the PLC, as illustrated below.
To leverage these detection capabilities, asset owners are directed to upgrade to:
Studio 5000 V34 or later
Corresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware
One of the following Compare tools:
Additional detections and mitigations options include:
Affected Products:
1768 CompactLogix controllers
1769 CompactLogix controllers
CompactLogix 5370 controllers
CompactLogix 5380 controllers
CompactLogix 5480 controllers
Compact GuardLogix 5370 controllers
Compact GuardLogix 5380 controllers
ControlLogix 5550 controllers
ControlLogix 5560 controllers
ControlLogix 5570 controllers
ControlLogix 5580 controllers
GuardLogix 5560 controllers
GuardLogix 5570 controllers
GuardLogix 5580 controllers
FlexLogix 1794-L34 controllers
DriveLogix 5730 controllers
SoftLogix 5800 controllers
Description: An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681
Affected Products: Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these affected versions:
ControlLogix 5580 controllers
GuardLogix 5580 controllers
CompactLogix 5380 controllers
CompactLogix 5480 controllers
Compact GuardLogix 5380 controllers
Description: Studio 5000 Logix Designer compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
