A critical, easy to exploit vulnerability (CVE-2021-22681) may allow attackers to remotely connect to a number of Rockwell Automation’s programmable logic controllers (PLCs) and to install new (malicious) firmware, alter the device’s configuration, and so on. Due to these factors the vulnerability has received the maximum CVSS v3 severity score – 10.0.
About the vulnerability (CVE-2021-22681)
Rockwell Automation’s PLCs are used around the world to control industrial equipment. The flaw may allow an attacker to discover the cryptographic key used to verify communication between Rockwell Logix controllers and their engineering stations.
“An attacker with this key could mimic a workstation and therefore be able to manipulate configurations or code running on the PLC (upload/download logic), and directly impact a manufacturing process,” Claroty researchers explained.
CVE-2021-22681 affects several series of the company’s Logix controllers:
- CompactLogix 1768, 1769, 5370, 5380 and 5480
- ControlLogix 5550, 5560, 5570 and 5580
- DriveLogix 5560, 5730 and 1794-L34
- Compact GuardLogix 5370 and 5380
- GuardLogix 5570 and 5580
- SoftLogix 5800
In effect, all devices running RSLogix 5000 (versions 16 through 20) and Studio 5000 Logix Designer (versions 21 and later) are vulnerable.
What to do?
The vulnerability has been independently discovered by Claroty, Kaspersky Lab, and researchers from South Korea’s Soonchunhyang University’s Lab of Information Systems Security Assurance.
The good news is that, according to the U.S. CISA, there are no known public exploits that specifically target this authentication bypass flaw.
There is no fix available, but Rockwell Automation advises administrators to implement specific mitigations (e.g., putting the vulnerable controller’s mode switch to “Run” mode, deploying CIP Security – an open-standard secure communication mechanism for EtherNet/IP networks – for Logix Designer connections) and more generic ones (network segmentation, additional security controls such isolating devices from other networks and the internet, secure remote access).
They also offered advice on how admins can detect any changes that attackers may have made to configuration or application files. (The CISA advisory holds more information.)