02 March 2021

KLCERT-17-029: Authentication bypass in Rockwell Automation Logix controllers

Vendor

Rockwell Automation

Researcher

Alexander Nochvay, Senior Security Researcher, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    02 March 2021

  • Vendor advisory published

    25 February 2021

  • Vendor confirmation

    22 September 2017

  • Vulnerability reported

    20 September 2017

Description

Studio 5000 Logix Designer, RSLogix 5000 and Logix controllers use a hardcoded key to verify participants of communication.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

A remote unauthenticated attacker able to bypass a verification mechanism and authenticate with Logix controllers and PLC emulator of RSLogix 5000 or Studio 5000 Logix Designer Software.

Existence of exploit

Unknown

Affected products

RSLogix 5000 software v16 and later
Studio 5000 Logix Designer v21 and later
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix 5730
FlexLogix 1794-L34
Compact GuardLogix 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix 5800

Mitigation

Vendor mitigation

Vendor provided detailed information for mitigation in the security bulletin (login required).

KL mitigation

  • Border firewall (or a similar network traffic control solution) should be configured to allow traffic to TCP port 44818 from authorized parties only.
  • Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and efficient protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in case of a network breach.
  • Implement a network intrusion detection (NIDS) solution. A comprehensive IDS solution is capable of detecting unusual network connections and abnormal traffic, providing timely information about various suspicious activities and sufficiently reducing attacker’s chances of successful exploitation.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    02 March 2021

  • Vendor advisory published

    25 February 2021

  • Vendor confirmation

    22 September 2017

  • Vulnerability reported

    20 September 2017