Team82, the research division of the specialist in the security of cyber-physical systems (CPS) in industrial, healthcare and enterprise environments Clarity, Und Rockwell Automation have jointly disclosed two vulnerabilities in Rockwell programmable logic controllers (PLCs) and engineering workstation software.
CVE-2022-1161 affects multiple versions of Rockwell's Logix controllers and was rated the highest CVSS score of 10, while CVE-2020-1159 affects multiple versions of the Studio 5000 Logix Designer application. The vulnerabilities could allow modified code to be downloaded to a PLC while the process appears normal to technicians at their workstations. This is reminiscent of Stuxnet and the Rogue7 attacks. Rockwell provides users with a tool that detects such hidden code. In addition, users are strongly recommended to update the affected products, which can reveal manipulations.
Stealth attacks possible
Successful stealth attacks on programmable logic controllers (PLCs) are among the rarest, most time-consuming and expensive attacks. The Stuxnet authors laid the groundwork here by finding a way to hide malicious bytecode running on a PLC, while the engineer programming the controller only sees the normal state on his workstation. To do this, the byte code and the text code must be decoupled. For example, in the Rogue7 attack on Siemens SIMATIC S7 PLCs, the researchers were able to modify the textual code while transmitting the malicious bytecode to the PLC.
Team82 tested Rockwell Automation's PLC platform for these Stuxnet-like attacks. Two vulnerabilities were discovered that leave the company's Logix controllers and Logix Designer application for engineering workstations vulnerable to such attacks. Attackers able to unobtrusively modify PLC logic could cause physical damage in factories, compromising assembly line security and robot reliability.
Attack like Stuxnet successful
The two weak points identified make it possible to decouple the text code from the binary code and transfer it to the PLC, whereby only one but not the other is modified. This causes the engineer to believe that the PLC is running regular code, when in fact it is running entirely different, potentially malicious code.
More at Claroty.comAbout Claroty Claroty, the Industrial Cybersecurity Company, helps its global customers discover, protect and manage their OT, IoT and IIoT assets. The company's comprehensive platform can be seamlessly integrated into customers' existing infrastructure and processes and offers a wide range of industrial cybersecurity controls for transparency, threat detection, risk and vulnerability management and secure remote access - with significantly reduced total cost of ownership.