Security Experts:

Unprotected Private Key Allows Remote Hacking of Rockwell Controllers

Industrial organizations have been warned this week that a critical authentication bypass vulnerability can allow hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation.

The vulnerability, tracked as CVE-2021-22681 with a CVSS score of 10, was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Kaspersky, and industrial cybersecurity firm Claroty.

Advisories for this flaw were published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell (account required). Claroty has also released a blog post with a high-level description of its findings.

The vulnerability impacts Studio 5000 Logix Designer (formerly RSLogix 5000), the popular design and configuration software for PLCs, as well as over a dozen CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix controllers.

The problem is related to the Logix Designer software using a private cryptographic key to verify communications with controllers. This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Once they have connected to the PLC, an attacker on the targeted organization’s network — or malware — can upload malicious code to the controller, download information from the device, or install new firmware. Claroty pointed out that exploitation of the vulnerability could directly impact a manufacturing process.

Claroty said it reported the issue to Rockwell back in 2019. It’s unclear when the others informed the vendor about the vulnerability.

Rockwell has advised customers to implement mitigations to reduce the risk of exploitation, including putting controllers into “Run mode,” deploying CIP Security to prevent unauthorized connections, and updating the controller firmware. It has also shared information for detecting potentially malicious changes and making general security improvements.

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: DoS Vulnerabilities Found in Rockwell's FactoryTalk Linx and RSLinx Classic Products

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.