A new vulnerability discovered in various Rockwell Automation programmable logic controllers (PLC) has received a 10 out of 10 risk score, the highest possible on the CVSS vulnerability scale.
The new vulnerability is being tracked as CVE-2021-22681. Attackers can abuse this flaw in the Logix Designer 5000 software to gain the secret cryptographic key, which is used to establish a secure connection between the PLC and the engineering station. The keys are baked into the hardware so they cannot be changed by the operator.
Once obtained, the key can be used to bypass verification systems, giving the attacker unrestricted access to the engineering systems. The attacker can then remotely install malware onto the afflicted devices to sabotage the manufacturing process.
From IT World Canada:
VMware’s code-execution flaw has a severity rating of 9.8 out of 10
The Industrial Control System Cyber Emergency Response Team wrote in an advisory that this vulnerability requires low skill to execute.
Although the flaw was publicly disclosed on Feb. 25, Rockwell Automation had known about the flaw since it was first discovered by cybersecurity firm Claroty in 2019.
No patch is currently available. In the meantime, Rockwell Automation recommends setting the controllers to “run” mode and segment the devices’ networks. It also urges operators to keep their security suites up to date.
To track if an attack has occurred, Rockwell Automation suggests monitoring the controller’s changelog and Logix Designer’s Change Detection feature.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also has a page set up for control systems security recommended practices.
Affected PLCs include:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
