Detections
Analytics

Rockwell Automation Logix Controllers Inclusion of Functionality From Untrusted Control Sphere (CVE-2022-1161)

critical Tenable OT Security Plugin ID 500630

Synopsis

The remote OT asset is affected by a vulnerability.

Description

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Users using the affected software or controllers are directed towards the risk mitigation steps listed below and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in- depth strategy.

The following mitigations should be applied for ControlLogix 5560, ControlLogix 5570, ControlLogix 5580 series, GuardLogix 5570, GuardLogix 5580, GuardLogix 5380, CompactLogix, CompactLogix 5380 devices:

Risk Mitigation A:

- Recompile and download user program code (i.e., acd).
- Put controller mode switch into Run position.

If keeping controller mode switch in Run is impractical, use the following mitigation:

- Recompile and download user program code (i.e., acd).
- Monitor controller change log for any unexpected modifications or anomalous activity.
- Utilize the Controller Log feature.
- Utilize Change Detection in the Logix Designer Application.
- If available, use the functionality in FactoryTalk AssetCenter software to detect changes.

Risk Mitigation B:

Implement CIP Security to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include:

- ControlLogix 5580 processors using on-board EtherNet/IP port.
- GuardLogix 5580 processors using on-board EtherNet/IP port.
- ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR
- ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP module.
 - If using a 1756-EN2T, then replace with a 1756-EN4TR
- CompactLogix 5380 using on-board EtherNet/IP port.
- CompactLogix GuardLogix 5380 using on-board EtherNet/IP port.

The following mitigations should be applied for 1768 CompactLogix, 1769 CompactLogix, CompactLogix 5370, and CompactLogix 5480 devices:

- Recompile and download user program code (i.e., acd).
- Put controller mode switch into Run position.

If keeping controller mode switch in Run is impractical, then use the following mitigation:

- Recompile and download user program code (i.e., acd).
- Monitor controller change log for any unexpected modifications or anomalous activity.
- Use the Controller Log feature.
- Use Change Detection in the Logix Designer application.
- If available, use the functionality in FactoryTalk AssetCenter to detect changes.

See Also

https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-05

https://www.rockwellautomation.com/en-us/support/advisory.PN1585.html

http://www.nessus.org/u?7c944bfe

http://www.nessus.org/u?e0526e5e

Plugin Details

Severity: Critical

ID: 500630

Version: 1.10

Type: remote

Family: Tenable.ot

Published: 4/28/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-1161

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rockwellautomation:compactlogix_1769-l31_firmware, cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware, cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware, cpe:/o:rockwellautomation:compact_guardlogix_5380_firmware, cpe:/o:rockwellautomation:controllogix_5580_firmware, cpe:/o:rockwellautomation:compactlogix_5380_firmware, cpe:/o:rockwellautomation:guardlogix_5580_firmware, cpe:/o:rockwellautomation:softlogix_5800_firmware, cpe:/o:rockwellautomation:guardlogix_5560_firmware, cpe:/o:rockwellautomation:compactlogix_1769-l35cr_firmware, cpe:/o:rockwellautomation:drivelogix_5730_firmware, cpe:/o:rockwellautomation:compactlogix_1768-l43_firmware, cpe:/o:rockwellautomation:guardlogix_5570_firmware, cpe:/o:rockwellautomation:compactlogix_1769-l32e_firmware, cpe:/o:rockwellautomation:flexlogix_1794-l34_firmware, cpe:/o:rockwellautomation:compactlogix_1769-l35e_firmware, cpe:/o:rockwellautomation:compactlogix_1769-l32c_firmware, cpe:/o:rockwellautomation:controllogix_5550_firmware, cpe:/o:rockwellautomation:controllogix_5570_firmware, cpe:/o:rockwellautomation:controllogix_5560_firmware, cpe:/o:rockwellautomation:compactlogix_5480_firmware, cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware, cpe:/o:rockwellautomation:compactlogix_1768-l45_firmware, cpe:/o:rockwellautomation:compact_guardlogix_5370_firmware

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 4/11/2022

Vulnerability Publication Date: 4/11/2022

Reference Information

CVE: CVE-2022-1161

CWE: 829

ICSA: 22-090-05