Two new critical vulnerabilities allowing Stuxnet-like cyberattacks against Rockwell PLCs

On March 31 2022, two significant security vulnerabilities were disclosed involving Rockwell Automation programmable logic controllers (PLCs) and software. Exploitation of these vulnerabilities could allow a remote attacker to inject malicious code into the affected systems.

Consequences of the exploitation of these vulnerabilities

In case the attack is successful, it will allow stealthily to modify PLC automation processes or user programs. This could lead to serious consequences including:

• Malicious code injection: the user could download malicious code without their knowledge, which could take many forms including ransomware, remote takeover tool, etc.

• Disruption of industrial operations

• Physical damage to factories, as observed in the case of the Stuxnet malware.

In view of the consequences, it is important to quickly take measures to correct the impacted systems.

Details about the affected vulnerabilities

CVE-2022-1161 (critical severity, score 10): concerns an existing vulnerability on the ControlLogix, CompactLogix and GuardLogix control systems from Rockwell. The score of 10 assigned to this vulnerability indicates that it can be exploited very easily from distance. It is therefore urgent to fix.

CVE-2022-1159 (HIGH severity, score of 7.7). This vulnerability concerns the Studio 5000 Logix Designer application and it allows to inject malicious code into the user program without him being aware of it. The exploitation of this vulnerability can lead to the downloading of a malicious program on the PLC, thus altering its operation. The score of 7.7 indicates that the vulnerability can be easily exploited. Therefore, quick measures must also be taken in this case.

Vulnerability mitigation/correction measures

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified the list of impacted systems and applications. It has also made recommendations to mitigate these two vulnerabilities. Please consult them here: CVE-2022-1161 and CVE-2022-1159.

How can StreamScan help you manage your cybersecurity in your OT infrastructure?

StreamScan is specialized in operational cybersecurity and manages the security of several manufacturing companies on a daily basis (IT systems, IoT, PLC, etc.).

• We are able to help you identify your vulnerable systems and then accompany you to correct them.

• Our CDS cyber threat detection technology allows us to detect cyber attacks that target IT and industrial environments (IoT, PLC, etc.).

• Our proactive MDR remote security monitoring service also monitors your network to detect, respond, and block cyberattacks that target you. You will be alerted if we identify suspicious activity related to these and other vulnerabilities.

If you need help, contact one of our experts.

To subscribe to our newsletter, follow this link.