Detections
Analytics

Rockwell Automation Studio 5000 Logix Designer Improper Control of Generation of Code (CVE-2022-1159)

high Tenable OT Security Plugin ID 500631

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Rockwell Automation recommends users of the affected hardware and software take risk mitigation steps listed below.
Users are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

There is no direct mitigation for this vulnerability in the Logix Designer application. However, a detection method is available to determine if the user program residing in the controller is identical to what was downloaded. This user program verification can be done by the following:

- On-demand using the Logix Designer application Compare Tool v9 or later
- Scheduled using FactoryTalk AssetCentre v12 or later user program verification (Available Fall 2022)

To leverage these detection capabilities, users are directed to upgrade to:

- Studio 5000 v34 software. or later
- Corresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware.
- One of the following compare tools
- Logix Designer application Compare Tool v9 or later – installed with Studio 5000 Logix Designer
 - FactoryTalk AssetCentre v12 or later software (Available Fall 2022)

This user program comparison must be performed on an uncompromised workstation.

See Also

https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07

https://www.rockwellautomation.com/en-us/support/advisory.PN1586.html

http://www.nessus.org/u?7c944bfe

http://www.nessus.org/u?59e35533

Plugin Details

Severity: High

ID: 500631

Version: 1.9

Type: remote

Family: Tenable.ot

Published: 4/28/2022

Updated: 4/11/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2022-1159

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:rockwellautomation:compact_guardlogix_5380_firmware, cpe:/o:rockwellautomation:compactlogix_5380_firmware, cpe:/o:rockwellautomation:compactlogix_5480_firmware, cpe:/o:rockwellautomation:controllogix_5580_firmware, cpe:/o:rockwellautomation:guardlogix_5580_firmware

Required KB Items: Tenable.ot/Rockwell

Exploit Ease: No known exploits are available

Patch Publication Date: 4/1/2022

Vulnerability Publication Date: 4/1/2022

Reference Information

CVE: CVE-2022-1159

CWE: 94