Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives

Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.

Nicolas Merle, a researcher at industrial cybersecurity firm Applied Risk, discovered that the PowerFlex 525 drive is affected by a serious DoS flaw that can be exploited to disrupt the configuration and control software associated with the device by sending it specially crafted UDP packets that cause the Common Industrial Protocol (CIP) network stack to crash.

Exploitation causes the software to disconnect from the device and block legitimate users out, but an attacker can continue sending commands to the system. A hacker could, among other things, change the speed of the drive or send it start/stop commands, Merle told SecurityWeek.

The only way for victims to regain access to the device is to perform a power reset.

“The bug corrupts the CIP daemon in a way that some values returned by the devices are corrupted. It also prevents any new connection to be established with the device,” Merle explained. “One of the issues is that the control software used to interact with this device monitors all necessary values at all times and once the bug is exploited, the software receives an unexpected value and will try to restart the connection – effectively locking itself out.”

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

“An attacker, on the other hand, can write a simple script to initiate the connection and not close it. The commands can still be sent to the device in this state and the device will still execute them. In this way, as long as the attacker does not stop the connection, they can continue to send commands and request information. As soon as the connection is terminated, a cold reboot is required for the device to accept new connections,” the researcher added.

Applied Risk says it has uncovered the flaw in version 5.001 of the software, but believes older versions are likely affected as well. The firm says Rockwell Automation has developed a patch, but the vendor has yet to publish a security advisory.

Related: No Patches for Critical Flaws in Fuji Electric Servo System, Drives

Related: Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws

Related: Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software