Vulnerability in Rockwell Automation PLCs allows hidden code

Claroty and Rockwell Automation have disclosed two security vulnerabilities in Rockwell’s PLCs and engineering workstation software. As a result, Rockwell has developed a specialised tool that detects hidden code, and users are being urged to upgrade affected products immediately to leverage this.

Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming and investment-heavy attacks. Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered.

Conceptually, exploitation is the same in previous research: decouple the bytecode and textual code, modify one, and not the other. For example, in the Rogue7 attack on Siemens SIMATIC S7 PLCs, researchers were able to modify the textual code while transferring malicious bytecode to the PLC. Airbus Researchers carried out similar research and attacks on Schneider Electric PLCs and modified native bytecode being transferred to the PLC.

Team82 decided to test for these Stuxnet-type of attacks on the Rockwell Automation PLC platform. The team’s research uncovered two vulnerabilities that expose the company’s Logix controllers and Logix Designer application for engineering workstations to attacks that allow threat actors to stealthily modify automation processes.

Programmable logic and predefined variables drive these processes, and changes to either will alter normal operation of the PLC and the process it manages. An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility.

Rockwell Automation today disclosed these vulnerabilities and has developed a tool that detects differences in binary and textual code. By using this tool, hidden code can be detected.

Two new vulnerabilities to modify PLC logic

In the research of Rockwell Automation’s engineering workstation, Studio 5000 Logix Designer, and the mechanics of its download logic procedure, Team82 uncovered two vulnerabilities that allowed them to decouple textual code from binary code and transfer it to the PLC, while modifying one and not the other.

The first vulnerability, CVE-2022-1161 (CVSS v3.1 Base Score: 10.0/CRITICAL), was found within affected PLC firmware running on ControlLogix, CompactLogix and GuardLogix control systems. It allows attackers to write user-readable program code to a separate memory location from the executed compiled code, allowing the attacker to modify one and not the other. To do so, an attacker could use a hardcoded secret key vulnerability in Logix Controllers previously disclosed by Team82 to communicate with Rockwell Automation PLCs and modify user programs without using Studio 5000 Logix Designer software.

The second vulnerability, CVE-2022-1159, was found within the Studio 5000 Logix Designer application that compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.

The end result of exploiting both vulnerabilities is the same: the engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC.

Detections and mitigations

Team82 worked closely with Rockwell Automation engineers to understand the root cause of these attacks. As a result, Rockwell engineers came up with sophisticated solutions to detect hidden code running on their PLCs by analysing and comparing the textual code and the binary code running on the PLC. If a mismatch is detected, the tool will alert a difference between the two, indicating that the hidden code is running on the PLC.

To leverage these detection capabilities, asset owners are directed to upgrade to:

• Studio 5000 V34 or later
• corresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware
• one of the following Compare tools: Logix Designer application Compare Tool v9 or later, installed with Studio 5000 Logix Designer, or FactoryTalk AssetCentre v12 or later (available spring 2022).
   

Additional detections and mitigations options include:

• Utilise the Controller Log feature
• Utilise change detection in the Logix Designer Application
• Implement CIP Security to help prevent unauthorised connections when properly deployed
   

Image: ©stock.adobe.com/au/NicoElNino