OTPulse

B&R Industrial Automation Automation Studio 4

Plan PatchCVSS 8.3ICS-CERT ICSA-22-228-05Aug 16, 2022
Manufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

B&R Automation Studio 4 contains an input validation flaw in an optional project file upload/backup feature that allows an attacker to execute arbitrary code within the Studio application or on connected PLCs. The vulnerability is triggered when a user opens a specially crafted project file. If the PLC has the project backup feature enabled and communication is not protected with encryption and strong authentication, an attacker could execute commands on the PLC itself. This feature is not activated by default. The vulnerability affects all versions of Automation Studio 4 with no vendor patch planned.

What this means
What could happen
An attacker could execute arbitrary code within Automation Studio 4 or on connected PLCs through a vulnerable project upload feature, compromising system integrity, stealing confidential project data, or disrupting production control systems.
Who's at risk
Manufacturing facilities using B&R Automation Studio 4 for PLC programming and automation engineering. This primarily affects engineering teams who develop, maintain, or update industrial control logic for production systems. Any facility with B&R PLCs connected to engineering workstations where the optional project backup/upload feature is in use is at risk.
How it could be exploited
An attacker must craft a malicious project file and convince a user to open it in Automation Studio 4 (requires user interaction). If the optional project upload feature is enabled on the PLC, the attacker could then upload and execute code on the target PLC by exploiting weak authentication or unencrypted communication channels. The attack requires high complexity (high AC rating) because the feature is disabled by default and specific conditions must be present.
Prerequisites
  • Automation Studio 4 must be running on an engineer's workstation
  • User must open a malicious project file (social engineering required)
  • Optional 'Backing up project source files on the target system' feature must be enabled on the target PLC
  • ANSL communication must be unencrypted or SSL/authentication must be disabled
  • Network access from the workstation to the PLC (direct or through corporate network)
Remotely exploitable (requires network access from engineering workstation to PLC)User interaction required (must socially engineer engineer to open malicious project file)High complexity attackNo vendor patch available (end-of-life product)Can affect control system integrity and data confidentiality
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (1)
ProductAffected VersionsFix Status
Automation Studio 4: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/3
WORKAROUNDDo not enable the project upload/backing up feature unless absolutely required for your automation projects
HARDENINGRun Automation Studio 4 with standard user privileges, not administrator or elevated privileges
HARDENINGVerify integrity of Automation Studio project files exchanged over email or external channels using cryptographic hashes or digital signatures before opening
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HARDENINGIf the project backup feature is in use, enforce strong password protection on PLC project backup configurations
HARDENINGUse ANSL over SSL (encrypted connection) when communicating between Automation Studio and PLCs
HARDENINGEnable authentication on all PLCs that have project backup or upload capabilities
HARDENINGEnsure Windows User Access Control (UAC) is enabled on all engineering workstations running Automation Studio
Mitigations - no patch available
0/2
Automation Studio 4: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGPlace PLC networks behind firewalls and isolate from corporate business networks
HARDENINGRestrict network access to Automation Studio engineering workstations and PLCs to authorized engineering staff only
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f8a5c56a-72d6-450e-85ac-280678545d3d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

B&R Industrial Automation Automation Studio 4 | CVSS 8.3 - OTPulse