Loading
myRockwellAutomation
工作机会
投资者
PartnerNetwork 门户
联系我们
热门资源
兼容性和下载中心 (PCDC) 知识库 Literature Library 生命周期状态 Learning+ 培训门户
 
产品管理
资产管理 (RAAMP) Installed Base Evaluation (IBE) My Equipment Self-Service 产品注册 维修 服务合同和票据 软件激活 软件订阅 可持续性仪表板
 
产品配置和选型
顾问 材料单 CrossWorks Integrated Architecture Builder 产品目录 ProposalWorks 方案生成器 ProposalWorks 标准制定者 Safety Automation Builder
 

 

查看全部工具 →

InformationInformation
This content is not available in your selected language.
Rockwell Automation 徽标
产品
硬件
硬件新动向
电路和负载保护 状态监测 连接设备 分布式控制系统 变频器 能源监测 人机界面 (HMI) 独立推车技术 工业计算机和监视器 工业控制产品 输入/输出模块 照明控制
运动控制 马达控制 网络安全与基础架构 成套解决方案 电源 可编程控制器 按钮和信号设备 继电器和计时器 安全仪表系统 安全产品 传感器和开关 信号接口
软件
软件新动向
云软件
软件订阅
 
设计
Studio 5000 FactoryTalk Logix Echo Emulate3D 数字孪生体 Arena 仿真 FactoryTalk Design Studio FactoryTalk Twin Studio FactoryTalk Vault
 
分析与数据
FactoryTalk Analytics FactoryTalk Historian FactoryTalk Analytics LogixAI FactoryTalk DataMosaix FactoryTalk Energy Manager Thingworx 工业物联网 FactoryTalk Transaction Manager FactoryTalk Analytics VisionAI FactoryTalk Analytics Pavilion8
HMI
FactoryTalk View FactoryTalk Optix
 
MES
Plex MES Plex 质量管理 FactoryTalk PharmaSuite Finite Scheduler
 
性能监控
Plex 生产监控 FactoryTalk Metrics 整体设备效率
 
瘦客户端管理
ThinManager
维护
Plex APM Fiix CMMS FactoryTalk AssetCentre FactoryTalk Remote Access FactoryTalk Network Manager Emonitor
 
过程
PlantPAx FactoryTalk Batch
 
工业通信
FactoryTalk Linx
 
XR/增强现实
Vuforia
产品名录 Allen-Bradley FactoryTalk
服务
资产优化与团队服务
资产优化服务概述 设备维修 设备再制造 维修与库存协议 集成服务协议 远程支持与监视 现场服务 安全服务 培训服务
网络安全与网络基础设施
网络安全 工业网络基础设施 预先设计的网络解决方案
数字主线
概述
生产自动化
概述
Loading
LifecycleIQ 服务
解决方案与行业
解决方案
高级运动与机器人技术 资产管理 网络安全 数据操作和分析 数字主线 数字化转型 工业自动化和控制 工业部件 网络与基础设施 机旁控制解决方案
成套解决方案 过程解决方案 生产自动化 制造运营管理 安全解决方案  可扩展控制与可视化 智能制造 可持续解决方案 赋能劳动力
 
解决方案适用于
原始设备制造商
行业
汽车与轮胎行业 水泥 化工 娱乐 化纤与纺织 食品和饮料 家庭与个人护理 氢气 基础设施 生命科学
船舶 冶金 矿山 石油和天然气 发电 印刷和出版 纸浆和造纸 半导体 仓储和履单 水/污水处理
Loading
查看案例研究
支持
文档
技术文档中心 产品图纸和接线图 产品认证 版本说明 技术规格
产品支持
下载 选型与配置 管理
培训
网络研讨会 员工发展培训 教师指导课程 认证计划 工作指导 培训工作站 Learning+ 订阅式在线学习课程
联系我们
TechConnect 支持 客户服务中心 Software Portal Help 一般查询
TechConnect 支持
一位戴耳机的男士正在提供客户服务支持
TechConnect 支持

获取解决技术挑战的知识和帮助。

了解有关 TechConnect 的更多信息
兼容性和下载中心 (PCDC) 知识库 Literature Library Engage Online Community
销售与合作伙伴
查找合作伙伴
转到合作伙伴搜索器
 
我们的 PartnerNetwork
PartnerNetwork 计划 分销商合作伙伴 许可开发商
原始设备制造商 (OEM) 合作伙伴 系统集成商合作伙伴 技术合作伙伴
PartnerNetwork™ 是什么?
两个人正在使用平板电脑进行交互
PartnerNetwork™ 是什么?

我们的 Rockwell Automation PartnerNetwork™ 计划帮助客户找到更佳人力、产品、服务与解决方案,以满足其生产目标,并使互联企业成为现实。

立即探索
myRockwellAutomation
工作机会
投资者
PartnerNetwork 门户
联系我们
资源
热门资源
兼容性和下载中心 (PCDC) 知识库 Literature Library 生命周期状态 Learning+ 培训门户
 
产品管理
资产管理 (RAAMP) Installed Base Evaluation (IBE) My Equipment Self-Service 产品注册 维修 服务合同和票据 软件激活 软件订阅 可持续性仪表板
 
产品配置和选型
顾问 材料单 CrossWorks Integrated Architecture Builder 产品目录 ProposalWorks 方案生成器 ProposalWorks 标准制定者 Safety Automation Builder
 

 

查看全部工具 →

选择国家或地区
  • 中国
  • Argentina
  • Australia
  • Belgique | Belgium
  • Brasil
  • Canada
  • Colombia
  • Czech Republic
  • Denmark
  • Deutschland
  • España
  • Finland
  • France
  • Hungary
  • India
  • Indonesia
  • Ireland
  • Israel
  • Italia
  • México
  • Netherlands
  • New Zealand
  • Norway
  • Poland
  • Portugal
  • Puerto Rico
  • Romania
  • Russia
  • Schweiz | Suisse
  • Singapore
  • South Africa
  • Sweden
  • Turkey
  • Ukraine
  • United Arab Emirates
  • United Kingdom
  • United States
  • Österreich
  • 台灣, 中國
  • 日本
  • 한국
选择语言
  • 简体中文
  • Deutsch
  • English
  • Español
  • Français
  • Italiano
  • Português
  • 日本語
  • 繁體中文
  • 한국어
登录 Create an Account
Why Create an Account?
Create bills of materials, submit repair quotes, register products and more!

Manage your e-communication subscription preferences.

Manage your user profile.
Welcome, {0}
Residing Location
我的帐户 注销
您近期的搜索记录
  • HistoryHistory
    CloseClose
  • HistoryHistory
    CloseClose
  • HistoryHistory
    CloseClose
  • HistoryHistory
    CloseClose
  • HistoryHistory
    CloseClose
  • HistoryHistory
    CloseClose
所有
产品
文档
下载
建议搜索词条
  • SearchSearch
  • SearchSearch
  • SearchSearch
  • SearchSearch
  • SearchSearch
  • SearchSearch
“{0}” 的结果
查看所有结果
“{0}” 的产品结果
Product Image
Product Image
Product Image
查看所有产品结果
“{0}” 的文档结果
Portable Document Format.pdf file type
发布类型 发布日期 语言
Portable Document Format.pdf file type
发布类型 发布日期 语言
Portable Document Format.pdf file type
发布类型 发布日期 语言
查看所有文档结果
“{0}” 的下载结果
DownloadDownload
目录编号
DownloadDownload
目录编号
DownloadDownload
目录编号
查看所有下载结果

PN1585 | Logix Controllers May Allow for Unauthorized Code Injection

Severity:
Critical
Advisory ID:
PN1585
发布日期:
May 06, 2022
上次更新时间:
May 06, 2022
Revision Number:
1.2
Known Exploited Vulnerability (KEV):
否
Corrected:
否
Workaround:
否
CVE IDs
CVE-2021-22681,
CVE-2022-1161
摘要
Logix Controllers May Allow for Unauthorized Code Injection

Revision History
Revision History
Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:
Product Structured Text
(ST)
Ladder Diagrams
(LD)
Function Block Diagram
(FBD)
Sequential Function Chart (SFC) Add-On Instructions (AOI)
1768 CompactLogix X Not affected X X X
1769 CompactLogix X Not affected X X X
CompactLogix 5370 X Not affected X X X
CompactLogix 5380 X X X X X
CompactLogix 5480 X X X X X
Compact GuardLogix 5370 X Not affected X X X
Compact GuardLogix 5380 X X X X X
ControlLogix 5550 X Not affected X X X
ControlLogix 5560 X Not affected X X X
ControlLogix 5570 X Not affected X X X
ControlLogix 5580 X X X X X
GuardLogix 5560 X Not affected X X X
GuardLogix 5570 X Not affected X X X
GuardLogix 5580 X X X X X
FlexLogix 1794-L34 X Not affected X X X
DriveLogix 5730 X Not affected X X X
SoftLogix 5800 X Not affected X X X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family Risk Mitigation and Recommended User Actions









ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380

Risk Mitigation A:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Put controller mode switch into Run position
If keeping controller mode switch in Run is impractical, use the following mitigation:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Utilize the Controller Log feature
  • Utilize Change Detection in the Logix Designer Application
  • If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed.  Supported controllers and communications modules include:
  • ControlLogix 5580 processors using on-board EtherNet/IP port
  • GuardLogix 5580 processors using on-board EtherNet/IP port
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
  • If using a 1756-EN2T, then replace with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP port
  • Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
Product Family Risk Mitigation and Recommended User Actions
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

Risk Mitigation A:
  • Recompile and download user program code (i.e., acd)
  • Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:
  • Recompile and download user program code (i.e., acd)
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Use the Controller Log feature
  • Use Change Detection in the Logix Designer application
  • If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

  • PN1354 - Industrial Security Advisory Index.
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • NVD - CVE-2022-1161 (nist.gov)

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页 Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
公司
关于我们 工作机会 多元化、道德与完整性 Engage Online Community 投资者关系 可持续性 信托中心
新闻和活动
新闻发布室 新闻稿 Automation Fair 事件
 
趋势图主题
网络安全 数字化转型 智能制造 The Connected Enterprise®
培训
网络研讨会 培训
 
PartnerNetwork
查找合作伙伴 PartnerNetwork 是什么?
 
我们的品牌
Allen-Bradley FactoryTalk LifecycleIQ 服务
联系我们
TechConnect 支持 客户服务中心 一般问题 如何购买 报告道德问题
洞察力
ROKStudios 自动化前沿 博客 案例研究 播客
BlogRockwell Automation's Blog
CN | ZH
法律声明
隐私与 Cookie 策略
电子邮件首选项
Cookie 首选项
可访问性首选项
© 2025 Rockwell Automation
Rockwell Automation 主页
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 隐私政策
CloseClose