(I)IoT Security News
ICS, News, Vulnerabilities

Rockwell Automation Logix Controllers (Update A)

Rockwell Automation Logix Controllers

1. EXECUTIVE SUMMARY

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that was published February 25, 2021, to the ICS webpage on us-cert.cisa.gov.

3. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

——— Begin Update A Part 1 of 2 ——–

The following versions of Rockwell software are affected:

——— End Update A Part 1 of 2 ———

The following Rockwell Logix Controllers are affected:

4.2 VULNERABILITY OVERVIEW

4.2.1    INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with the affected Rockwell Automation products. The product is vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Logix controllers.

CVE-2021-22681 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

4.3 BACKGROUND

4.4 RESEARCHER

The vulnerability was independently co-discovered by Lab. of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and Sharon Brizinov and Tal Keren of Claroty.

5. MITIGATIONS

——— Begin Update A Part 2 of 2 ——–

Rockwell Automation has determined this vulnerability cannot be mitigated with a patch. Rockwell encourages users to combine its specific risk mitigation recommendations with general security guidelines for a comprehensive defense-in-depth strategy.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To reduce risk, Rockwell recommends users ensure they are employing proper network segmentation and security controls; including, but not limited to:

Users should refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation, as well as broader defense-in-depth strategies. Users can also refer to Rockwell Automation’s System Security Design Guidelines on how to use Rockwell Automation products to improve the security of industrial automation systems. 

Common Industrial Protocol (CIP) Security mitigates this vulnerability as it provides the ability to deploy TLS- and DTLS-based secure communications to supported products. CIP Security is an enhancement to the ODVA (Open DeviceNet Vendors Association) EtherNet/IP industrial communication standard and directly addresses this vulnerability. CIP Security allows users to leverage and manage certificates and/or pre-shared keys, and does not make use of any hardcoded keys.

Users requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment reference guide.

——— End Update A Part 2 of 2 ——–

Additionally, Rockwell recommends users follow the following risk mitigation and recommended user actions for the following product family and versions:

In addition, Rockwell recommends users employ the following methods to detect changes to configuration or application files:

Rockwell Automation has published a security advisory that further describes how this vulnerability affects the Studio 5000 Logix Designer software and associated controllers.

Requests for additional information can be sent to the Rockwell RASecure Inbox (rasecure@ra.rockwell.com).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Source:

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03

Related posts

Hetronic Nova-M

(I) IoT
6 years ago

Horner Automation Cscape

(I) IoT
4 years ago

Siemens S7-300/400 PLC Vulnerabilities (Update E)

(I) IoT
5 years ago
Exit mobile version