New Rockwell security vulnerability a solid 10 out of 10!

For all you people who use various Rockwell Logix PLCs there was a new security vulnerability disclosed this week. ICS Advisory (ICSA-21-056-03)

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.

The following versions of Rockwell software are affected:

  • RSLogix 5000: Versions 16 through 20
  • Studio 5000 Logix Designer: Versions 21 and later

The following Rockwell Logix Controllers are affected:

  • CompactLogix 1768
  • CompactLogix 1769
  • CompactLogix 5370
  • CompactLogix 5380
  • CompactLogix 5480
  • ControlLogix 5550
  • ControlLogix 5560
  • ControlLogix 5570
  • ControlLogix 5580
  • DriveLogix 5560
  • DriveLogix 5730
  • DriveLogix 1794-L34
  • Compact GuardLogix 5370
  • Compact GuardLogix 5380
  • GuardLogix 5570
  • GuardLogix 5580
  • SoftLogix 5800

As discussed in Hard-coded key vulnerability in Logix PLCs has severity score of 10 out of 10, its deemed pretty severe in terms of exploitability and impact.

Of course the best mitigation of this vulnerability is don’t expose your $^&$#@ controllers directly to the Internet.

I can’t seem to find enough details… but this basically boils down to my copy of Studio5000 can modify your PLC, always the case if I had network access, but also because they hardcoded keys in the software now maybe somebody spoofing Studio5000 could manage it as well.

Or am I missing something?

That’s about what I read it as, but I am not familiar with RA stuff, so there could be more to it.

OTOH if it was simply a “If I can connect to your PLC via the internet, then I can modify it” type of thing, then I would not expect such a high level advisory

I was notified yesterday afternoon. If you have a support contract with Rockwell, you can view their notice to customers here:

There’s not much you can do short of leaving your controller key switches in “run” mode (not remote). Which is already a best practice due to the ease with which legitimate users can connect and download to the wrong devices. The very latest ControlLogix processors (L8x v32+), or ControlLogix chassis with an EN4TR, can switch to encrypted CIP. Which almost nobody supports yet, so is impractical for SCADA users like us.

There’s no downside to an attacker using real RSLogix programming software, which is the only thing this particular private key tries to enforce.

Meh. None of my customers are using Rockwell’s controller-level security anyways, as it is a pain in the [expletive] to manage. Exposing any controllers to the internet, even through any form of port forwarding, has always been a stupid idea.

1 Like

This is all interesting. Does using a VPN the same as with exposing a controller to the internet? I realize the name inplies otherwise but just to make sure we are all on the same page because there are some customers that feel that VPN access is akin to the internet. Thanks.

VPN access is not the same as “open to the internet”. Bad VPN management can make it equivalent, but that applies to any remote access tools. The water treatment plant breach cited by Ars wasn’t even a VPN, but TeamViewer. Not at all related to a protocol-level vulnerability like this Rockwell problem. But hey, you have to spice up the article with something. ):

1 Like

Stumbled on this late. But this allows authentication and authorizations configured in FactoryTalk Security to be bypassed. So controllers secured with a security authority would be vulnerable to having their programs altered/replaced or firmware updated.

I run across this way more than I should. Not sure if people don’t know or don’t care, but you as a service company are taking on a huge amount of liability if you do it and one of these hacks hurts or kills people and they trace it back to you putting a plc out on the internet. I see people putting equipment out on the internet all the time via cellular modems with no private apn. They throw it out on the public internet and anyone can connect.

1 Like