CVE-2022-1159:Rockwell Automation Studio 5000 Logix Designer (all versions) is vulnerable to code injection by an attacker who gains administrator access on a workstation running the software, enabling injection of controller code undetectable to users. The vulnerability has a CVSS v3.1 base score of 7.7 (HIGH) with local attack vector, high privileges required, user interaction, and a changed scope affecting confidentiality, integrity, and availability.

splash
Back

Description Preview

Rockwell Automation Studio 5000 Logix Designer (all versions) can be exploited by an attacker who obtains administrator access on a workstation running the application to inject controller code that is undetectable by the user. This flaw arises from improper control of generation of code (code injection) within the affected product. The impact is significant across confidentiality, integrity, and availability, as the attacker can alter controller logic in a way that is not readily detected by users. Exploitation requires local access, elevated privileges, and user interaction, and the attack can affect the controller and related components, leading to a changed security scope. There is no direct runtime mitigation within the Logix Designer application itself; however, detection methods exist to verify that the controller’s current program matches what was downloaded, and Rockwell provides guidance to mitigate risk through upgraded software and verification tooling. The recommended mitigations include upgrading to Studio 5000 v34 or later and applying corresponding controller firmware, and leveraging user program verification via the Logix Designer Compare Tool v9+ or FactoryTalk AssetCentre v12+ to detect mismatches, with verification performed on an uncompromised workstation.

Overview

Rockwell Automation Studio 5000 Logix Designer is susceptible to a local, high-privilege code injection vulnerability that allows an administrator on a workstation to inject controller code in a way that is difficult for users to detect. The issue affects all versions and carries a high impact across confidentiality, integrity, and availability, requiring user interaction and local access to exploit. The vendor indicates there is no direct in-app mitigation, but provides detection and upgrade-based strategies to reduce risk, including software and firmware updates and verification tools to ensure the controller program matches the downloaded version.

Remediation

  • Upgrade to Studio 5000 software version 34 or later, and apply the corresponding firmware for Logix 5580, 5380, 5480, GuardLogix 5580, and Compact GuardLogix 5380 controllers as recommended by Rockwell Automation.
  • Use the detection options described by Rockwell to verify that the controller program residing in the controller matches what was downloaded:
    • On-demand verification with the Logix Designer application Compare Tool v9 or later.
    • Scheduled verification with FactoryTalk AssetCentre v12 or later (available Fall 2022).
  • Perform user program verification on an uncompromised workstation to reduce risk of manipulated tooling or software on that device.
  • Implement defense-in-depth practices: restrict administrator access on engineering workstations, monitor for tampering, and apply general security hardening as per organizational practices.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  3. Public Administration: Low
    Public Administration
  4. Retail Trade: Low
    Retail Trade
  5. Transportation & Warehousing: Low
    Transportation & Warehousing
  6. Utilities: Low
    Utilities
  7. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  8. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  9. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  10. Information: Low
    Information
  11. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  12. Mining: Low
    Mining
  13. Accommodation & Food Services: Low
    Accommodation & Food Services
  14. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  15. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  16. Construction: Low
    Construction
  17. Educational Services: Low
    Educational Services
  18. Finance and Insurance: Low
    Finance and Insurance
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background