The Claroty Research Team has discovered a severe vulnerability (CVE-2021-22681, CVSS 10.0) in a mechanism that verifies communication between Rockwell Automation PLCs and engineering stations. The vulnerability affects Studio 5000 Logix Designer, RSLogix 5000, and many Logix Controllers.
Exploiting this flaw enables an attacker to remotely connect to almost any of the company's Logix programmable logic controllers (PLCs), and upload malicious code, download information from the PLC, or install new firmware.
The vulnerability lies in the fact that Studio 5000 Logix Designer software may allow a secret cryptographic key to be discovered. This key is used to verify communication between Rockwell Logix controllers and their engineering stations. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass this verification mechanism and connect to Logix controllers.
An attacker who is able to extract the secret key would be able to authenticate to any Rockwell Logix controller. These secret keys digitally sign all communication with the Rockwell PLCs; the PLCs verify the signature and authorize communication between it and the Rockwell engineering software. An attacker with this key could mimic a workstation and therefore be able to manipulate configurations or code running on the PLC (upload/download logic), and directly impact a manufacturing process.
Affected versions include: Rockwell's Studio 5000 Logix Designer (versions 21 and later) and RSLogix 5000 (versions 16-20), as well as Rockwell Logix Controllers (CompactLogix 1768, 1769, 5370, 5380, 5480, 5550, 5560, 5570, 5580), Drive Logix (5560, 5730, 1794-L34), Compact GuardLogix (5370 and 5380), GuardLogix (5570 and 5580), and SoftLogix 5800.
An advisory published Thursday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT), describes the vulnerability as requiring low skill level to exploit.
Claroty privately disclosed the flaw to Rockwell in 2019; researchers from South Korea's Soonchunhyang University's Lab of Information Systems Security Assurance, and Kaspersky Lab, were also credited by ICS-CERT as having independently discovered the vulnerability.
Rockwell Automation recommends a number of specific mitigations including putting the controller's mode switch to "Run" mode and deploying CIP Security for Logix Designer connections. CIP Security prevents unauthorized connections when deployed properly.
Rockwell Automation also recommends a number of generic mitigations to blunt the effects of this vulnerability, starting with proper network segmentation and security controls such as minimizing exposure of control systems to the network or the internet. Control systems, Rockwell said, should be behind firewalls and isolated from other networks whenever feasible. Secure remote access is also suggested; at a minimum, using a VPN to connect to a device.
The ICS-CERT advisory includes all Rockwell mitigation advice, including a number of recommendations for each product family and version. It also recommends a number of detection methods if users suspect configurations have been modified. Those include:
Monitor controller change log for any unexpected modifications or anomalous activity.
If using v17 or later, utilize the Controller Log feature.
If using v20 or later, utilize Change Detection in the Logix Designer Application.
If available, use the functionality in FactoryTalk AssetCentre to detect changes.
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
