Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software have two new security flaws that might be exploited by an intruder to introduce malicious code into affected systems and silently manipulate automation operations.
In a way similar to Stuxnet and the Rogue7 assaults, the vulnerabilities have the ability to impair industrial operations and cause physical damage to factories.
Claroty's Sharon Brizinov noted in a write-up published, "Programmable logic and predefined variables drive these [automation] processes, and changes to either will alter the normal operation of the PLC and the process it manages."
The following is a list of two flaws –
- CVE-2022- (CVSS score: 10.0) — A remotely exploited weakness that allows a hostile actor to write user-readable "textual" computer code to a memory location independent from the compiled code that is being executed (aka bytecode). The problem is in Rockwell's ControlLogix, CompactLogix, and GuardLogix control systems' PLC firmware.
- CVE-2022-1159 =This vulnerability has a CVSS score of 7.7. Without the user's knowledge, an attacker with administrative access to a workstation running the Studio 5000 Logix Designer application can disrupt the compilation process and inject code into the user programme.
Successfully exploiting the flaws could enable an attacker to change user programmes and download malicious code to the controller, effectively changing the PLC's normal operation and allowing rogue commands to be sent to the industrial system's physical devices.
Brizinov explained, "The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC."
Because of the severity of the weaknesses, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning outlining mitigation actions that users of the affected hardware and software can take as part of a "comprehensive defence-in-depth strategy."