Severity: 
                            
                            
                                        
                                        Critical
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1585
                            
                        
                                發佈日期: 
                            
                            
                                May 06, 2022
                            
                        
                                最近更新: 
                            
                            
                                May 06, 2022
                            
                        
                                Revision Number: 
                            
                            
                                1.2
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                否
                            
                        
                                Corrected: 
                            
                            
                                否
                            
                        
                                Workaround: 
                            
                            
                                否
                            
                        
                            CVE IDs
                        
                        
                                    CVE-2021-22681, 
                                    
                                
                            
                                
                                    
                                    CVE-2022-1161
                                
                            
                        
                    摘要
                
                
                    Logix Controllers May Allow for Unauthorized Code Injection
                
              Revision History 
   Revision History 
   Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations 
 Detailed Information
  Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.
 
An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.
 An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.
Affected Products
- 1768 CompactLogix™ controllers
- 1769 CompactLogix controllers
- CompactLogix 5370 controllers
- CompactLogix 5380 controllers
- CompactLogix 5480 controllers
- Compact GuardLogix® 5370 controllers
- Compact GuardLogix 5380 controllers
- ControlLogix® 5550 controllers
- ControlLogix 5560 controllers
- ControlLogix 5570 controllers
- ControlLogix 5580 controllers
- GuardLogix 5560 controllers
- GuardLogix 5570 controllers
- GuardLogix 5580 controllers
- FlexLogix™ 1794-L34 controllers
- DriveLogix™5730 controllers
- SoftLogix™ 5800 controllers
Vulnerability Details
 [CVE-2022-1161]: Modification of PLC Program Code
 
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681
 
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
 
The following types of code are affected by this vulnerability – indicated by an X:
   
 
 
 An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The following types of code are affected by this vulnerability – indicated by an X:
| Product | Structured Text (ST) | Ladder Diagrams (LD) | Function Block Diagram (FBD) | Sequential Function Chart (SFC) | Add-On Instructions (AOI) | 
| 1768 CompactLogix | X | Not affected | X | X | X | 
| 1769 CompactLogix | X | Not affected | X | X | X | 
| CompactLogix 5370 | X | Not affected | X | X | X | 
| CompactLogix 5380 | X | X | X | X | X | 
| CompactLogix 5480 | X | X | X | X | X | 
| Compact GuardLogix 5370 | X | Not affected | X | X | X | 
| Compact GuardLogix 5380 | X | X | X | X | X | 
| ControlLogix 5550 | X | Not affected | X | X | X | 
| ControlLogix 5560 | X | Not affected | X | X | X | 
| ControlLogix 5570 | X | Not affected | X | X | X | 
| ControlLogix 5580 | X | X | X | X | X | 
| GuardLogix 5560 | X | Not affected | X | X | X | 
| GuardLogix 5570 | X | Not affected | X | X | X | 
| GuardLogix 5580 | X | X | X | X | X | 
| FlexLogix 1794-L34 | X | Not affected | X | X | X | 
| DriveLogix 5730 | X | Not affected | X | X | X | 
| SoftLogix 5800 | X | Not affected | X | X | X | 
Risk Mitigation & User Action
  We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
 
   
 
We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.  
 
In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.
 | Product Family | Risk Mitigation and Recommended User Actions | 
| ControlLogix 5570 ControlLogix 5580 GuardLogix 5570 GuardLogix 5580 CompactLogix 5380 Compact GuardLogix 5380 | Risk Mitigation A: 
 
 Risk Mitigation B: Implement CIP Security™ to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include: 
 | 
We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
| Product Family | Risk Mitigation and Recommended User Actions | 
| 1768 CompactLogix 1769 CompactLogix CompactLogix 5370 CompactLogix 5480 ControlLogix 5560 GuardLogix5560 | Risk Mitigation A: 
 If keeping controller mode switch in Run is impractical, then use the following mitigation: 
 | 
In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.
Exploitation Detection Method:
The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:- On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
- Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
- The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
- Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.
General Security Guidelines
 Network-based Vulnerability Mitigations for Embedded Products 
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
 
General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.
 
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
 
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
 
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
 
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
 
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).
 - Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Software/PC-based Mitigation Strategies
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).
Additional Links
- PN1354 - Industrial Security Advisory Index.
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- NVD - CVE-2022-1161 (nist.gov)
Copyright ©2022 Rockwell Automation, Inc.