A critical authentication bypass vulnerability could be exploited by remote attackers to Rockwell Automation programmable logic controllers (PLCs).
A critical authentication bypass vulnerability, tracked as CVE-2021-22681, can be exploited by remote attackers to compromise programmable logic controllers (PLCs) manufactured by Rockwell Automation.
The vulnerability was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Claroty, and Kaspersky.
“Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers.” reads the advisory published by CISA. “Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.”
The CVE-2021-22681 flaw has received a CVSS score of 10, it affects the following products:
Rockwell software versions:
- RSLogix 5000: Versions 16 through 20
- Studio 5000 Logix Designer: Versions 21 and later
Rockwell Logix Controllers:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
The issue resides in the Logix Designer software that uses a poorly protected private cryptographic key to verify communications with controllers.
“This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.” reads the post published by Claroty. “An attacker who is able to extract the secret key would be able to authenticate to any Rockwell Logix controller.”
The secret keys are used to digitally sign all communication with the Rockwell PLCs, then PLCs verify the signature and authenticate the company engineering software. An attacker that obtained the key impersonate the engineering software and control the PLC.
Claroty privately reported the vulnerability to Rockwell in 2019.
Rockwell provided a list of risk mitigation and recommended user actions for its projects.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, PLC)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
A critical authentication bypass vulnerability could be exploited by remote attackers to Rockwell Automation programmable logic controllers (PLCs).
A critical authentication bypass vulnerability, tracked as CVE-2021-22681, can be exploited by remote attackers to compromise programmable logic controllers (PLCs) manufactured by Rockwell Automation.
The vulnerability was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Claroty, and Kaspersky.
“Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers.” reads the advisory published by CISA. “Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.”
The CVE-2021-22681 flaw has received a CVSS score of 10, it affects the following products:
Rockwell software versions:
- RSLogix 5000: Versions 16 through 20
- Studio 5000 Logix Designer: Versions 21 and later
Rockwell Logix Controllers:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
The issue resides in the Logix Designer software that uses a poorly protected private cryptographic key to verify communications with controllers.
“This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.” reads the post published by Claroty. “An attacker who is able to extract the secret key would be able to authenticate to any Rockwell Logix controller.”
The secret keys are used to digitally sign all communication with the Rockwell PLCs, then PLCs verify the signature and authenticate the company engineering software. An attacker that obtained the key impersonate the engineering software and control the PLC.
Claroty privately reported the vulnerability to Rockwell in 2019.
Rockwell provided a list of risk mitigation and recommended user actions for its projects.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, PLC)