Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
Critical vulnerability exists in Rockwell Automation's Studio 5000 Logix Designer and RSLogix 5000 software, allowing unauthenticated attackers to bypass authentication and gain control of industrial controllers. This could lead to disruption of operations, theft of intellectual property, or even physical damage to industrial processes.
Step 1: Reconnaissance: The attacker identifies target Rockwell Automation controllers and their network configuration. Step 2: Vulnerability Identification: The attacker confirms the presence of vulnerable versions of Studio 5000 Logix Designer or RSLogix 5000 software. Step 3: Authentication Bypass: The attacker crafts malicious network packets that bypass the authentication mechanism. This may involve reverse engineering the communication protocol or exploiting a known weakness in the authentication process. Step 4: Unauthorized Access: The attacker sends the crafted packets to the target controller, gaining unauthorized access. Step 5: Command Execution/Data Exfiltration: The attacker executes commands to control the PLC, read sensitive data, or modify the controller's configuration.
The vulnerability stems from a flawed authentication mechanism used by Rockwell Automation's Logix Designer and RSLogix 5000 software to verify communication with Logix controllers. The software relies on a key that can be bypassed by an unauthenticated attacker. The root cause is likely a design flaw where the authentication check is either missing or improperly implemented, allowing an attacker to craft malicious packets that appear legitimate to the controller. This could involve manipulating network traffic to spoof the authentication process, potentially due to a missing or weak cryptographic implementation. The lack of proper authentication allows an attacker to send unauthorized commands, read sensitive data, or modify the controller's configuration.