Rockwell Automation Studio 5000 Logix Designer

Monitor7.7ICS-CERT ICSA-22-090-07Mar 31, 2022

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

Successful exploitation allows an attacker with local access to an engineering workstation running Studio 5000 Logix Designer to download a modified program to ControlLogix 5580, GuardLogix 5580, CompactLogix 5380/5480, or Compact GuardLogix 5380 controllers. The modified program would execute without detection by standard means. No direct mitigation exists in the software; detection requires manual program comparison using Logix Designer Compare Tool v9+ or FactoryTalk AssetCentre v12+. Rockwell Automation recommends upgrading to Studio 5000 v34 or later and implementing periodic program verification on an uncompromised workstation. No public exploits exist, and this vulnerability is not remotely exploitable.

What this means

What could happen

An attacker with physical or local access to an engineering workstation could download a modified program into a Logix controller, altering process logic and potentially disrupting manufacturing or critical operations without being detected by normal means.

Who's at risk

Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380 and 5480, and Compact GuardLogix 5380 programmable logic controllers (PLCs) programmed with Studio 5000 Logix Designer. This affects manufacturers and utilities running production lines, assembly systems, safety-critical processes, and any facility relying on these controllers for process automation.

How it could be exploited

An attacker must have local access to a workstation running Studio 5000 Logix Designer and be able to download a modified program to a connected controller. The attacker could modify the controller program to change process setpoints, disable safety interlocks, or stop operations. Detection is not automatic; the malicious program would run undetected unless the operator manually performs a program comparison using the Compare Tool or FactoryTalk AssetCentre.

Prerequisites

Local access to an engineering workstation running Studio 5000 Logix Designer
Ability to connect the workstation to the target controller (USB, Ethernet, or serial)
Knowledge of the program download process in Logix Designer
Access requires high privilege (engineering credentials typically restricted on the workstation)

No authentication required to modify and download programs to controllerLow complexity attack (straightforward program download mechanism)No patch available from vendorAffects safety-critical systems (GuardLogix and Compact GuardLogix)Local attack only but difficult to detect without manual verification

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Studio 5000 Logix Designer - ControlLogix 5580 controllersAll versionsNo fix (EOL)

Studio 5000 Logix Designer - GuardLogix 5580 controllersAll versionsNo fix (EOL)

Studio 5000 Logix Designer - CompactLogix 5380 controllersAll versionsNo fix (EOL)

Studio 5000 Logix Designer - CompactLogix 5480 controllersAll versionsNo fix (EOL)

Studio 5000 Logix Designer - Compact GuardLogix 5380 controllersAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGRestrict physical access to engineering workstations; store them in locked rooms or secure areas when not in use

HARDENINGImplement role-based access control on engineering workstations; limit download permissions to authorized personnel only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Studio 5000 to version 34 or later and corresponding controller firmware (ControlLogix 5580, GuardLogix 5580, CompactLogix 5380/5480, Compact GuardLogix 5380)

HOTFIXInstall Logix Designer Compare Tool v9 or later (installed with Studio 5000 v34+) to enable on-demand program verification

WORKAROUNDImplement scheduled program verification using FactoryTalk AssetCentre v12 or later (available Fall 2022) on an uncompromised workstation

WORKAROUNDPerform periodic manual program verification on an uncompromised workstation to detect unauthorized program modifications

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Studio 5000 Logix Designer - ControlLogix 5580 controllers, Studio 5000 Logix Designer - GuardLogix 5580 controllers, Studio 5000 Logix Designer - CompactLogix 5380 controllers, Studio 5000 Logix Designer - CompactLogix 5480 controllers, Studio 5000 Logix Designer - Compact GuardLogix 5380 controllers. Apply the following compensating controls:

HARDENINGIsolate the control network from the business network with firewalls; do not expose controllers to the Internet

CVEs (1)

CVE-2022-1159

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d6d78b89-e719-4ac9-ab2c-c96dab87ef3c