02 March 2021

KLCERT-17-029: Authentication bypass in Rockwell Automation Logix controllers

Vendor

Rockwell Automation

Researchers

Alexander Nochvay, Kaspersky ICS CERT

Eunseon Jeong, Soonchunhyang University

Youngho An, Soonchunhyang University

Junyoung Park, Soonchunhyang University

Insu Oh, Soonchunhyang University

Kangbin Yim, Soonchunhyang University

Sharon Brizinov, Claroty

Timeline

Timeline

  • Kaspersky ICS CERT advisory updated

    02 November 2023

  • Kaspersky ICS CERT advisory published

    02 March 2021

  • Vendor published the advisory

    25 February 2021

  • Vendor confirmed the vulnerability

    22 September 2017

  • Vulnerability reported

    20 September 2017

Description

Studio 5000 Logix Designer, RSLogix 5000 and Logix controllers use a hardcoded key to verify participants of communication.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

A remote unauthenticated attacker able to bypass a verification mechanism and authenticate with Logix controllers and PLC emulator of RSLogix 5000 or Studio 5000 Logix Designer Software.

Existence of exploit

PoC

Affected products

RSLogix 5000 software v16-v20
Studio 5000 Logix Designer v21 and later
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix 5730
FlexLogix 1794-L34
Compact GuardLogix 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix 5800

Mitigation

Vendor mitigation

Vendor provided detailed information for mitigation in the security bulletin (login required).

KL mitigation

  • Set up the border firewall (or a similar network traffic control solution) to allow only authorized parties to send traffic to port 44818/TCP of the system.
  • Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and efficient protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in case of a network breach.
  • Implement a network intrusion detection system (NIDS). A comprehensive intrusion detection system is capable of detecting unusual network connections and abnormal traffic sent to the device, providing timely information about various suspicious activities and sufficiently reducing the attacker’s chances of successful exploitation.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory updated

    02 November 2023

  • Kaspersky ICS CERT advisory published

    02 March 2021

  • Vendor published the advisory

    25 February 2021

  • Vendor confirmed the vulnerability

    22 September 2017

  • Vulnerability reported

    20 September 2017