Nozomi Networks Labs Finds New Rockwell PLC Vulnerability

Nozomi Networks Labs Finds New Rockwell PLC Vulnerability

This article was updated on March 3, 2020.

Today, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS-CERT Advisory concerning a vulnerability in Rockwell Automation CompactLogix 5370 controllers.

The ICS-CERT Advisory (ICSA-19-120-01) describes this vulnerability and indicates that its successful exploitation could allow a remote attacker to render the PLC’s web server unavailable, requiring a cold restart.

Nozomi Networks Labs responsibly disclosed the issue to CISA and Rockwell Automation. This effort is part of ongoing research we are conducting to test widely used devices for vulnerabilities.

Today’s advisory highlights the challenge of safeguarding industrial systems that include long-lived, insecure legacy devices. It is one of three ICS-CERT advisories related to Rockwell Automation products reported by our team over the last year.

Read on to learn about our findings and gain a better understanding of the legacy risks that are all too common in industrial facilities.

Nozomi Networks responsibly disclosed the vulnerability described in ICS-CERT Advisory ICSA-19-120-01.
The susceptible PLCs are used in many sectors, including food manufacturing.

Overview of Rockwell Automation Vulnerabilities Reported by Nozomi Networks Labs

The vulnerabilities covered by the new ICS-CERT Advisory apply to the Rockwell Automation 1769 CompactLogix 5370 programmable logic controller (PLC). Specifically, the products affected include:

  • All 1769 CompactLogix 5370 PLCs at revisions <= v30.01.1

Rockwell Automation describes the role of these controllers as:

“CompactLogix 5370 controllers have replaced traditional analog controls, historically based on mechanical, pneumatic or electronic components, combined with digital programmable software.

CompactLogix 5370 controllers expand the scalability of the Logix family of controllers, offer a wider variety of options, and provide best-fit alternatives for specific application requirements.

Coupled with Kinetix® 350, the controllers provide high performance in a compact and affordable integrated motion package for a variety of machine applications, all on one common network – EtherNet/IP.”

Rockwell Automation documentation

According to ICS-CERT, these controllers are used worldwide in infrastructure sectors such as:

  • Critical manufacturing
  • Food and agriculture
  • Transportation
  • Water/wastewater

Shodan, a well-known IoT search engine that identifies devices connected to the Internet, finds more than 2,000 Rockwell Automation CompactLogix PLCs in use around the world.

In addition, many other CompactLogix devices not connected to the Internet, are in use at industrial facilities.

Nozomi Networks Labs’ Analysis

Over the last year our research included investigation of the Rockwell Automation 1769 CompactLogix 5370 PLC and the RSLinx Classic workstation application (Studio 5000).

During our analysis, we discovered three vulnerabilities. One of these is related to the ICS-CERT published today, and two are related to an ICS-CERT published last year.

1. CompactLogix 5370 Uncontrolled Resource Consumption, April 30, 2019

The new vulnerability published today permits an unauthenticated attacker to cause improper handling parameters via the built-in web server in the PLC. A remote attacker could cause a Denial of Service (DoS) triggered by sending a crafted request to the web server, rendering the web server inaccessible and causing it to crash.

An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering the system.

ICSA-19-120-01

[/et_pb_text][et_pb_text _builder_version=”3.27.4″]

Recovery requires a cold restart of the system.

2. RSLinx Classic Stack-based Buffer Overflow Vulnerability, Sept. 20, 2018

This vulnerability was previously published. It applies to:

  • RSLink Classic workstation software application <= v4.00.01.

In this case, a threat actor could exploit a stack-based buffer overflow condition, which would allow remote execution of arbitrary code against the targeted system.

Recovery requires a restart of the software.

3. RSLinx Classic Uncontrolled Resource Consumption Vulnerability, Sept. 20, 2018

This vulnerability was also previously published and applies to:

  • RSLink Classic workstation software application <= v4.00.01.

With this type of incident, a remote threat actor could intentionally send a malformed CIP packet to Port 44818, causing uncontrolled resource consumption. A DoS would result, causing the software application to stop responding and crash.

Recovery requires a restart of the software.

Rockwell Automation Issues Updates that Eradicate the Vulnerabilities

Rockwell Automation has issued two Security Advisories for these vulnerabilities. These advisories provide:

  • A new firmware version (FRN 31.011 or later) for the affected PLCs with a confirmed fix of the issue.
  • A software update (KB 1075712) for the RSLink Classic suite

Based on our experience with previous disclosures, these vulnerabilities were handled in a timely and effective manner by the security team at Rockwell Automation.

Rockwell Automation
Rockwell Automation has provided updates that eradicate the vulnerabilities in the CompactLogix PLCs.These controllers are used in many sectors, including transportation.

Safety and Business Impacts

The widespread use of CompactLogix controllers throughout multiple industries around the world highlights the challenges of securing industrial facilities. And, long device lifespans mean that organizations may be utilizing vulnerable assets in sensitive environments for extended periods of time.

The challenge is further complicated by the fact that critical control devices cannot be readily taken offline for patching.

To assess your organization’s level of cyber risk to these vulnerabilities, it’s important to have visibility into the susceptible devices in your facilities and use that information in your remediation plan. Such a plan needs to consider cyber risks, safety and environmental concerns, as well as business impacts.

NCCIC Recommended Solutions and Mitigations

NCCIC has provided a set of recommendations, including standard mitigations, to protect impacted end users from these vulnerabilities. These mitigations are outlined in the Security Advisory and include:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Also recognize that VPN is only as secure as the connected devices.

Nozomi Networks Products Automatically Identify Affected Systems

Nozomi Networks customers with a Threat Intelligence subscription benefit from custom signatures that identify these vulnerabilities.

Guardian customers automatically receive alerts letting them know which PLCs are vulnerable. The products also provide detailed information that facilitates remediation planning.

Take Action Against Cyber Risk from Legacy Devices  

While the challenge of securing legacy industrial devices is formidable, today there are tools and information available to help.

Research is identifying which devices have specific vulnerabilities. Products such as ours automatically monitor industrial systems for newly revealed vulnerabilities and identify the affected devices. And, vendors such as Rockwell Automation are providing updates that address the issues.

Armed with this information, you can prioritize the actions needed to improve the cybersecurity posture of your operations