Rockwell Automation RSLogix 5 and RSLogix 500

MonitorCVSS 7.7ICS-CERT ICSA-24-263-01Sep 19, 2024

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Rockwell Automation RSLogix 5, RSLogix 500, and RSLogix Micro Developer and Starter contain a vulnerability in the Visual Basic for Applications (VBA) macro execution framework. An attacker could embed malicious VBA code within a RSLogix project file. When the project file is opened in RSLogix by an authorized user, the embedded VBA code executes with the privileges of the engineering workstation, allowing arbitrary code execution. This is particularly dangerous because engineering workstations typically have trusted access to industrial control networks and PLCs.

What this means

What could happen

An attacker with local access to an engineering workstation could execute arbitrary code through malicious VBA macros embedded in RSLogix project files, potentially allowing them to alter PLC logic, modify control parameters, or disrupt plant operations.

Who's at risk

Engineering teams and plant operators at water utilities, power distribution, and manufacturing facilities using RSLogix 5, RSLogix 500, or RSLogix Micro Developer to program and maintain Allen-Bradley PLCs and CompactLogix controllers are affected. Risk is highest in facilities where engineering workstations are used to download logic to active control systems.

How it could be exploited

An attacker must first place a malicious RSLogix project file (containing VBA code) on the engineering workstation—either through email, USB, or network file share. When an authorized operator opens the file in RSLogix 5, 500, or Micro Developer, the embedded VBA macro executes with the privileges of the engineering workstation, which typically has direct access to PLCs and control networks.

Prerequisites

Local or shared file access to the engineering workstation
Target must open a malicious RSLogix project file (.rsx, .rs5, etc.)
User interaction required (file must be opened)
VBA execution must be enabled in FactoryTalk Administration Console (default state)

Local access required (no remote exploitation)High attack complexityUser interaction required (must open file)No patch availableAffects engineering/development tools with access to PLCsVBA execution enabled by default

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

RSLogix 5: vers:all/*All versionsNo fix (EOL)

RSLogix 500: vers:all/*All versionsNo fix (EOL)

RSLogix Micro Developer and Starter: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDeny VBA execution in FactoryTalk Administration Console by navigating to Policies, selecting 'Enable/Disable VBA', and checking the 'Deny' box

HARDENINGStore all RSLogix project files in a protected directory accessible only to trusted administrators; verify file integrity before opening

HARDENINGEnable VBA editor password protection in RSLogix to prevent unauthorized modification of VBA code within project files

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGEstablish a file-review process requiring an independent technical review of any RSLogix project files from external sources before opening on engineering workstations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: RSLogix 5: vers:all/*, RSLogix 500: vers:all/*, RSLogix Micro Developer and Starter: vers:all/*. Apply the following compensating controls:

HARDENINGRestrict engineer workstations to a segregated network segment with firewall rules that deny direct access from general business networks or the internet

CVEs (1)

CVE-2024-7847

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94e7175a-24b1-4c09-891b-0227640300a8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.