Home / Advisories / KLCERT advisories / KLCERT-17-029: Authentication bypass in Rockwell Automation Logix controllers

KLCERT-17-029: Authentication bypass in Rockwell Automation Logix controllers

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

CVE-IDS CVE-2021-22681
Publication date 2021.03.02
Researcher Alexander Nochvay, Kaspersky ICS CERT
Description Studio 5000 Logix Designer, RSLogix 5000 and Logix controllers use a hardcoded key to verify participants of communication.
Impact A remote unauthenticated attacker able to bypass a verification mechanism and authenticate with Logix controllers and PLC emulator of RSLogix 5000 or Studio 5000 Logix Designer Software.
CVSS v3 Base Score: 10.0
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability Remotely
Difficulty Low
User interaction None
Existence of exploit Unknown
Affected products
Affected products RSLogix 5000 software v16 and later
Studio 5000 Logix Designer v21 and later
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix 5730
FlexLogix 1794-L34
Compact GuardLogix 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix 5800
Vendor mitigation Vendor provided detailed information for mitigation in the security bulletin (login required).
KL mitigation
  • Border firewall (or a similar network traffic control solution) should be configured to allow traffic to TCP port 44818 from authorized parties only.
  • Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and efficient protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in case of a network breach.
  • Implement a network intrusion detection (NIDS) solution. A comprehensive IDS solution is capable of detecting unusual network connections and abnormal traffic, providing timely information about various suspicious activities and sufficiently reducing attacker’s chances of successful exploitation.
Timeline 20 September 2017 – Vulnerability reported
22 September 2017 – Vendor confirmed the vulnerability
25 February 2021 – Vendor published the advisory