Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations
FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.
This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.
Compact GuardLogix® 5370
Compact GuardLogix 5380
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
|Product Family and Version||Risk Mitigation and Recommended User Actions|
ControlLogix 5580 v32 or later.
ControlLogix 5580 v31
|ControlLogix 5570 v31 or later.|| |
|CompactLogix 5380 v28 or later.|| |
|CompactLogix 5370 v20 or later|| |
|ControlLogix 5580 v28-v30 |
ControlLogix 5570 v18 or later
ControlLogix 5560 v16 or later
ControlLogix 5550 v16
GuardLogix 5580 v31 or later
GuardLogix 5570 v20 or later
GuardLogix 5560 v16 or later
1768 CompactLogix v16 or later
1769 CompactLogix v16 or later
CompactLogix 5480 v32 or later
Compact GuardLogix 5370 v28 or later
Compact GuardLogix 5380 v31 or later
FlexLogix 1794-L34 v16
DriveLogix 5370 v16 or later
|SoftLogix 5800 || |
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
- Monitor controller change log for any unexpected modifications or anomalous activity.
- If using v17 or later, utilize the Controller Log feature.
- If using v20 or later, utilize Change Detection in the Logix Designer Application.
- If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.
General Security Guidelines
- Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls. Including, but not limited to:
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
- Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
- Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products. CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.
As of May 5, 2021, a new mitigation option is now available. The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security. See below for how this product can be deployed to address CompactLogix based applications.
Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.
*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (email@example.com).