Two new security vulnerabilities have been disclosed in Rockwell Automation’s programmable logic controllers (PLCs) and engineering workstation software that could be exploited by an attacker to inject malicious code into affected systems and stealthily modify processes automation.
The flaws have the potential to disrupt industrial operations and cause physical damage to factories in a manner similar to that of Stuxnet and Rogue7 attacks, said operational technology security firm Claroty.
“Programmable logic and predefined variables drive these [automation] process, and changes to either will alter the normal operation of the PLC and the process it handles,” Claroty’s Sharon Brizinov noted in an article published Thursday.
The list of the two faults is below –
- CVE-2022-1161 (CVSS Score: 10.0) – A remotely exploitable flaw that allows a malicious actor to write human-readable “text-based” program code into a separate memory location from executed compiled code (aka bytecode). The problem lies with the PLC firmware running on Rockwell’s ControlLogix, CompactLogix, and GuardLogix control systems.
- CVE-2022-1159 (CVSS score: 7.7) – An attacker with administrative access to a workstation running the Studio 5000 Logix Designer application can intercept the compilation process and inject code into the user program without the knowledge of the user. ‘user.
Successful exploitation of flaws could allow an attacker to modify user programs and upload malicious code to the controller, thereby altering the normal operation of the PLC and allowing malicious commands to be sent to physical devices controlled by the system industrial.
“The end result of exploiting both vulnerabilities is the same: the engineer thinks benign code is running on the PLC; meanwhile, completely different and potentially malicious code is running on the PLC” , Brizinov explained.
The severity of the flaws also prompted an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) that outlines mitigations that users of affected hardware and software can take for a “comprehensive defense-in-depth strategy”.