Industrial organizations have been warned this week that a critical authentication bypass vulnerability can allow hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation.
The vulnerability, tracked as CVE-2021-22681 with a CVSS score of 10, was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Kaspersky, and industrial cybersecurity firm Claroty.
Advisories for this flaw were published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell (account required). Claroty has also released a blog post with a high-level description of its findings.
The vulnerability impacts Studio 5000 Logix Designer (formerly RSLogix 5000), the popular design and configuration software for PLCs, as well as over a dozen CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix controllers.
The problem is related to the Logix Designer software using a private cryptographic key to verify communications with controllers. This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
Once they have connected to the PLC, an attacker on the targeted organization’s network — or malware — can upload malicious code to the controller, download information from the device, or install new firmware. Claroty pointed out that exploitation of the vulnerability could directly impact a manufacturing process.
Claroty said it reported the issue to Rockwell back in 2019. It’s unclear when the others informed the vendor about the vulnerability.
Rockwell has advised customers to implement mitigations to reduce the risk of exploitation, including putting controllers into “Run mode,” deploying CIP Security to prevent unauthorized connections, and updating the controller firmware. It has also shared information for detecting potentially malicious changes and making general security improvements.
Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files
Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks
Related: DoS Vulnerabilities Found in Rockwell’s FactoryTalk Linx and RSLinx Classic Products
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
