The US CISA warns of a critical vulnerability in the industrial control products Rockwell Automation. Attackers could modify program code for the Logix controllers and thus take control over them tracked as CVE-2022-1161, CVSS 10.0. In addition, attackers could smuggle code into the Logix controllers unnoticed which is tracked as CVE-2022-1159, CVSS 7.7.
Thw vulnerable component includes series of the CompactLogix-, Compact GuardLogix-, ControlLogix-, GuardLogix-, FlexLogix-, DriveLogix– and SoftLogix-controller. An attacker with the ability to change user programs could push manipulated program code onto the controllers. Because Studio 5000 Logix Designer stores user-readable code in a different location than the compiled code it runs, attackers could swap out one without modifying the other.
The second vulnerability affects fewer systems: ControlLogix and GuardLogix 5580, CompactLogix 5380 and 5480 as Compact GuardLogix 5380 controller. Attackers who gain administrative access to stations with Studio 5000 Logix Designer could inject code here without users being able to see it.
There is no easy way to fill the gaps with software. The controllers have a switch that can toggle between programming and program execution or only program execution. CISA recommends switching the switch to the “Run” position after uploading your verified code to the controllers.
The CISA shows other possibilities in the security notifications. They conclude with the usual and actually self-evident information for the cyber security of industrial plants: Admins should restrict access to the control systems as much as possible and, if possible, not make them accessible from the Internet. If remote access is required, it should definitely be encrypted via a VPN connection. IT managers should isolate the networks of the industrial plants from other networks.