CWE
829
Advisory Published
Updated

CVE-2022-1161: ICSA-22-090-05 Rockwell Automation Logix Controllers

First published: Thu Mar 31 2022(Updated: )

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.

Credit: ics-cert@hq.dhs.gov

Affected SoftwareAffected VersionHow to fix
Rockwellautomation Compactlogix 1768-l43 Firmware
Rockwellautomation Compactlogix 1768-l43
Rockwellautomation Compactlogix 1768-l45 Firmware
Rockwellautomation Compactlogix 1768-l45
Rockwellautomation Compactlogix 1769-l31 Firmware
Rockwellautomation Compactlogix 1769-l31
Rockwellautomation Compactlogix 1769-l32c Firmware
Rockwellautomation Compactlogix 1769-l32c
Rockwellautomation Compactlogix 1769-l32e Firmware
Rockwellautomation Compactlogix 1769-l32e
Rockwellautomation Compactlogix 1769-l35cr Firmware
Rockwellautomation Compactlogix 1769-l35cr
Rockwellautomation Compactlogix 1769-l35e Firmware
Rockwellautomation Compactlogix 1769-l35e
Rockwellautomation Compactlogix 5370 L3 Firmware
Rockwellautomation Compactlogix 5370 L3
Rockwellautomation Compactlogix 5370 L2 Firmware
Rockwellautomation Compactlogix 5370 L2
Rockwellautomation Compactlogix 5370 L1 Firmware
Rockwellautomation Compactlogix 5370 L1
Rockwellautomation Compactlogix 5380 Firmware
Rockwellautomation Compactlogix 5380
Rockwellautomation Compactlogix 5480 Firmware
Rockwellautomation Compactlogix 5480
Rockwellautomation Compact Guardlogix 5370 Firmware
Rockwellautomation Compact Guardlogix 5370
Rockwellautomation Compact Guardlogix 5380 Firmware
Rockwellautomation Compact Guardlogix 5380
Rockwellautomation Controllogix 5550 Firmware
Rockwellautomation Controllogix 5550
Rockwellautomation Controllogix 5560 Firmware
Rockwellautomation Controllogix 5560
Rockwellautomation Controllogix 5570 Firmware
Rockwellautomation Controllogix 5570
Rockwellautomation Controllogix 5580 Firmware
Rockwellautomation Controllogix 5580
Rockwellautomation Guardlogix 5560 Firmware
Rockwellautomation Guardlogix 5560
Rockwellautomation Guardlogix 5570 Firmware
Rockwellautomation Guardlogix 5570
Rockwellautomation Guardlogix 5580 Firmware
Rockwellautomation Guardlogix 5580
Rockwellautomation Flexlogix 1794-l34 Firmware
Rockwellautomation Flexlogix 1794-l34
Rockwellautomation Drivelogix 5730 Firmware
Rockwellautomation Drivelogix 5730
Rockwellautomation Softlogix 5800 Firmware
Rockwellautomation Softlogix 5800
Rockwell Automation 1768 CompactLogix controllers
Rockwell Automation 1769 CompactLogix controllers
Rockwell Automation CompactLogix 5370 controllers
Rockwell Automation CompactLogix 5380 controllers
Rockwell Automation CompactLogix 5480 controllers
Rockwell Automation Compact GuardLogix 5370 controllers
Rockwell Automation Compact GuardLogix 5380 controllers
Rockwell Automation ControlLogix 5550 controllers
Rockwell Automation ControlLogix 5560 controllers
Rockwell Automation ControlLogix 5570 controllers
Rockwell Automation ControlLogix 5580 controllers
Rockwell Automation GuardLogix 5560 controllers
Rockwell Automation GuardLogix 5570 controllers
Rockwell Automation GuardLogix 5580 controllers
Rockwell Automation FlexLogix 1794-L34 controllers
Rockwell Automation DriveLogix 5730 controllers
Rockwell Automation SoftLogix 5800 controllers

Remedy

The following mitigations should be applied for ControlLogix 5560, ControlLogix 5570, ControlLogix 5580 series, GuardLogix 5570, GuardLogix 5580, GuardLogix 5380, CompactLogix, CompactLogix 5380 devices: Risk Mitigation A: Recompile and download user program code (i.e., acd). Put controller mode switch into Run position. If keeping controller mode switch in Run is impractical, use the following mitigation: Recompile and download user program code (i.e., acd). Monitor controller change log for any unexpected modifications or anomalous activity. Utilize the Controller Log feature. Utilize Change Detection in the Logix Designer Application. If available, use the functionality in FactoryTalk AssetCenter software to detect changes. Risk Mitigation B: Implement CIP Security to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include: ControlLogix 5580 processors using on-board EtherNet/IP port. GuardLogix 5580 processors using on-board EtherNet/IP port. ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP module. If using a 1756-EN2T, then replace with a 1756-EN4TR CompactLogix 5380 using on-board EtherNet/IP port. CompactLogix GuardLogix 5380 using on-board EtherNet/IP port. The following mitigations should be applied for 1768 CompactLogix, 1769 CompactLogix, CompactLogix 5370, and CompactLogix 5480 devices: Recompile and download user program code (i.e., acd). Put controller mode switch into Run position. If keeping controller mode switch in Run is impractical, then use the following mitigation: Recompile and download user program code (i.e., acd). Monitor controller change log for any unexpected modifications or anomalous activity. Use the Controller Log feature. Use Change Detection in the Logix Designer application. If available, use the functionality in FactoryTalk AssetCenter to detect changes.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2022-1161?

    CVE-2022-1161 is a vulnerability that allows an attacker to change user program code on certain Rockwell Automation Control systems.

  • What is the severity of CVE-2022-1161?

    CVE-2022-1161 has a severity rating of 9.8, which is classified as critical.

  • How does CVE-2022-1161 affect Rockwell Automation CompactLogix 1768-L43?

    Rockwell Automation CompactLogix 1768-L43 is affected by CVE-2022-1161, allowing an attacker to change user program code.

  • How do I fix CVE-2022-1161?

    To fix CVE-2022-1161, Rockwell Automation recommends applying the necessary security updates provided by the vendor.

  • Where can I find more information about CVE-2022-1161?

    You can find more information about CVE-2022-1161 on the official advisory from the Cybersecurity and Infrastructure Security Agency (CISA).

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203