CVE-2021-22681:Authentication Bypass Vulnerability in Rockwell Automation Studio 5000 Logix Designer and RSLogix 5000

splash
Back

Description Preview

A critical authentication bypass vulnerability (CWE-522) exists in Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20. These software products use a key to verify communications with various Logix controllers. However, an unauthenticated attacker could bypass this verification mechanism and authenticate with affected controllers, potentially gaining unauthorized access to industrial control systems.

Overview

This vulnerability affects the authentication mechanism between Rockwell Automation's programming software and their industrial controllers. The affected software includes Studio 5000 Logix Designer (v21+) and RSLogix 5000 (v16-20), which are used to program and configure various Logix controllers. The vulnerability allows an attacker to bypass the key-based verification system that should ensure only authorized software can communicate with the controllers. This could enable unauthorized configuration changes, firmware uploads, or other potentially dangerous operations on critical industrial control systems. Given the widespread use of these products in manufacturing, utilities, and other industrial sectors, this vulnerability poses significant risks to operational technology environments.

Remediation

  1. Update to the latest version of Studio 5000 Logix Designer or RSLogix 5000 that contains the security fix.
  2. If immediate patching is not possible, implement network segmentation to isolate control system networks from business networks and the internet.
  3. Use access control lists and firewall rules to restrict network access to authorized endpoints only.
  4. Monitor network traffic for suspicious communications attempting to connect to Logix controllers.
  5. Implement the principle of least privilege for all control system accounts and access.
  6. Consider implementing a defense-in-depth security strategy as recommended by Rockwell Automation.
  7. For detailed mitigation guidance, refer to the CISA advisory (ICSA-21-056-03).

References

  1. CISA ICS Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03
  2. CWE-522: Insufficiently Protected Credentials
  3. Rockwell Automation Product Security Advisory (refer to CISA advisory for details)
  4. Affected Products:
    • Studio 5000 Logix Designer Versions 21 and later
    • RSLogix 5000 Versions 16 through 20
    • CompactLogix controllers (1768, 1769, 5370, 5380, 5480)
    • ControlLogix controllers (5550, 5560, 5570, 5580)
    • DriveLogix controllers (5560, 5730, 1794-L34)
    • Compact GuardLogix controllers (5370, 5380)
    • GuardLogix controllers (5570, 5580)
    • SoftLogix controllers (5800)

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Public Administration: Medium
    Public Administration
  3. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  4. Professional, Scientific, & Technical Services: Medium
    Professional, Scientific, & Technical Services
  5. Retail Trade: Low
    Retail Trade
  6. Transportation & Warehousing: Low
    Transportation & Warehousing
  7. Utilities: Low
    Utilities
  8. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  9. Information: Low
    Information
  10. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  11. Mining: Low
    Mining
  12. Educational Services: Low
    Educational Services
  13. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  16. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  17. Construction: Low
    Construction
  18. Finance and Insurance: Low
    Finance and Insurance
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background