First published: Thu Mar 31 2022(Updated: )
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
Rockwellautomation Compactlogix 1768-l43 Firmware | ||
Rockwellautomation Compactlogix 1768-l43 | ||
Rockwellautomation Compactlogix 1768-l45 Firmware | ||
Rockwellautomation Compactlogix 1768-l45 | ||
Rockwellautomation Compactlogix 1769-l31 Firmware | ||
Rockwellautomation Compactlogix 1769-l31 | ||
Rockwellautomation Compactlogix 1769-l32c Firmware | ||
Rockwellautomation Compactlogix 1769-l32c | ||
Rockwellautomation Compactlogix 1769-l32e Firmware | ||
Rockwellautomation Compactlogix 1769-l32e | ||
Rockwellautomation Compactlogix 1769-l35cr Firmware | ||
Rockwellautomation Compactlogix 1769-l35cr | ||
Rockwellautomation Compactlogix 1769-l35e Firmware | ||
Rockwellautomation Compactlogix 1769-l35e | ||
Rockwellautomation Compactlogix 5370 L3 Firmware | ||
Rockwellautomation Compactlogix 5370 L3 | ||
Rockwellautomation Compactlogix 5370 L2 Firmware | ||
Rockwellautomation Compactlogix 5370 L2 | ||
Rockwellautomation Compactlogix 5370 L1 Firmware | ||
Rockwellautomation Compactlogix 5370 L1 | ||
Rockwellautomation Compactlogix 5380 Firmware | ||
Rockwellautomation Compactlogix 5380 | ||
Rockwellautomation Compactlogix 5480 Firmware | ||
Rockwellautomation Compactlogix 5480 | ||
Rockwellautomation Compact Guardlogix 5370 Firmware | ||
Rockwellautomation Compact Guardlogix 5370 | ||
Rockwellautomation Compact Guardlogix 5380 Firmware | ||
Rockwellautomation Compact Guardlogix 5380 | ||
Rockwellautomation Controllogix 5550 Firmware | ||
Rockwellautomation Controllogix 5550 | ||
Rockwellautomation Controllogix 5560 Firmware | ||
Rockwellautomation Controllogix 5560 | ||
Rockwellautomation Controllogix 5570 Firmware | ||
Rockwellautomation Controllogix 5570 | ||
Rockwellautomation Controllogix 5580 Firmware | ||
Rockwellautomation Controllogix 5580 | ||
Rockwellautomation Guardlogix 5560 Firmware | ||
Rockwellautomation Guardlogix 5560 | ||
Rockwellautomation Guardlogix 5570 Firmware | ||
Rockwellautomation Guardlogix 5570 | ||
Rockwellautomation Guardlogix 5580 Firmware | ||
Rockwellautomation Guardlogix 5580 | ||
Rockwellautomation Flexlogix 1794-l34 Firmware | ||
Rockwellautomation Flexlogix 1794-l34 | ||
Rockwellautomation Drivelogix 5730 Firmware | ||
Rockwellautomation Drivelogix 5730 | ||
Rockwellautomation Softlogix 5800 Firmware | ||
Rockwellautomation Softlogix 5800 | ||
Rockwell Automation 1768 CompactLogix controllers | ||
Rockwell Automation 1769 CompactLogix controllers | ||
Rockwell Automation CompactLogix 5370 controllers | ||
Rockwell Automation CompactLogix 5380 controllers | ||
Rockwell Automation CompactLogix 5480 controllers | ||
Rockwell Automation Compact GuardLogix 5370 controllers | ||
Rockwell Automation Compact GuardLogix 5380 controllers | ||
Rockwell Automation ControlLogix 5550 controllers | ||
Rockwell Automation ControlLogix 5560 controllers | ||
Rockwell Automation ControlLogix 5570 controllers | ||
Rockwell Automation ControlLogix 5580 controllers | ||
Rockwell Automation GuardLogix 5560 controllers | ||
Rockwell Automation GuardLogix 5570 controllers | ||
Rockwell Automation GuardLogix 5580 controllers | ||
Rockwell Automation FlexLogix 1794-L34 controllers | ||
Rockwell Automation DriveLogix 5730 controllers | ||
Rockwell Automation SoftLogix 5800 controllers |
The following mitigations should be applied for ControlLogix 5560, ControlLogix 5570, ControlLogix 5580 series, GuardLogix 5570, GuardLogix 5580, GuardLogix 5380, CompactLogix, CompactLogix 5380 devices: Risk Mitigation A: Recompile and download user program code (i.e., acd). Put controller mode switch into Run position. If keeping controller mode switch in Run is impractical, use the following mitigation: Recompile and download user program code (i.e., acd). Monitor controller change log for any unexpected modifications or anomalous activity. Utilize the Controller Log feature. Utilize Change Detection in the Logix Designer Application. If available, use the functionality in FactoryTalk AssetCenter software to detect changes. Risk Mitigation B: Implement CIP Security to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include: ControlLogix 5580 processors using on-board EtherNet/IP port. GuardLogix 5580 processors using on-board EtherNet/IP port. ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP module. If using a 1756-EN2T, then replace with a 1756-EN4TR CompactLogix 5380 using on-board EtherNet/IP port. CompactLogix GuardLogix 5380 using on-board EtherNet/IP port. The following mitigations should be applied for 1768 CompactLogix, 1769 CompactLogix, CompactLogix 5370, and CompactLogix 5480 devices: Recompile and download user program code (i.e., acd). Put controller mode switch into Run position. If keeping controller mode switch in Run is impractical, then use the following mitigation: Recompile and download user program code (i.e., acd). Monitor controller change log for any unexpected modifications or anomalous activity. Use the Controller Log feature. Use Change Detection in the Logix Designer application. If available, use the functionality in FactoryTalk AssetCenter to detect changes.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-1161 is a vulnerability that allows an attacker to change user program code on certain Rockwell Automation Control systems.
CVE-2022-1161 has a severity rating of 9.8, which is classified as critical.
Rockwell Automation CompactLogix 1768-L43 is affected by CVE-2022-1161, allowing an attacker to change user program code.
To fix CVE-2022-1161, Rockwell Automation recommends applying the necessary security updates provided by the vendor.
You can find more information about CVE-2022-1161 on the official advisory from the Cybersecurity and Infrastructure Security Agency (CISA).