Full Report
Studio 5000 Logix Designer, RSLogix 5000 and Logix controllers use a hardcoded key to verify participants of communication.
Analysis Summary
# Vulnerability: Hardcoded Key Authentication Bypass in Rockwell Automation Logix Controllers
## CVE Details
- **CVE ID:** CVE-2021-22681
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-321 (Use of Hard-coded Cryptographic Key)
## Affected Systems
- **Products:**
- Studio 5000 Logix Designer (v21 and later)
- RSLogix 5000 (v16–v20)
- RSLogix 5000 PLC Emulator
- **Hardware Controllers:**
- CompactLogix (1768, 1769, 5370, 5380, 5480)
- ControlLogix (5550, 5560, 5570, 5580)
- GuardLogix (5370, 5380, 5560, 5570, 5580)
- DriveLogix 5730, FlexLogix 1794-L34, SoftLogix 5800
- **Versions:** Wide range (Legacy v16 through modern Studio 5000 v21+)
- **Configurations:** Systems utilizing default communication verification mechanisms.
## Vulnerability Description
The affected software and firmware utilize a hardcoded cryptographic key to verify the identity of communication participants. An attacker can extract this key from the software or firmware and use it to spoof a legitimate Engineering workstation or controller. This allows an unauthorized party to bypass authentication mechanisms and issue commands directly to the PLC or emulator.
## Exploitation
- **Status:** Proof of Concept (PoC) available.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Attacker can read sensitive controller data)
- **Integrity:** High (Attacker can modify logic, configurations, or state)
- **Availability:** High (Attacker can stop the controller or disrupt Industrial processes)
## Remediation
### Patches
Rockwell Automation has provided detailed mitigation and version-specific updates in their security bulletin. Users are advised to upgrade to the latest firmware versions for their respective hardware families where available.
### Workarounds
- **Physical Mode Switch:** Set the controller mode switch to "RUN" to prevent unauthorized program changes.
- **Login Required:** Access the official Rockwell Automation security bulletin for specific firmware path guidance (requires login).
## Detection
### Indicators of Compromise
- Unexpected connections to port 44818/TCP from unauthorized IP addresses.
- Changes to PLC logic or configuration not associated with scheduled maintenance.
### Detection Methods and Tools
- **Network Intrusion Detection System (NIDS):** Deploy signatures to detect abnormal CIP (Common Industrial Protocol) traffic or unauthorized workstation IDs.
- **Firewall Logging:** Monitor and audit all traffic on port 44818/TCP.
- **Network Segmentation:** Implement strict access control lists (ACLs) to ensure only authorized Engineering Workstations can communicate with the PLC subnet.
## References
- **Vendor Advisory:** hxxps[://]rockwellautomation[.]custhelp[.]com/app/answers/answer_view/a_id/1130301
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2021/03/02/klcert-17-029-authentication-bypass-in-rockwell-automation-logix-controllers/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2021-22681