Remote code execution in Rockwell Automation Logix Controllers

Published: 2022-04-01

Risk	High
Patch available	NO
Number of vulnerabilities	1
CVE-ID	CVE-2022-1161
CWE-ID	CWE-829
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	1768 CompactLogix Hardware solutions / Firmware 1769 CompactLogix Hardware solutions / Firmware CompactLogix 5370 Hardware solutions / Firmware CompactLogix 5380 Hardware solutions / Firmware CompactLogix 5480 Hardware solutions / Firmware Compact GuardLogix 5370 Hardware solutions / Firmware Compact GuardLogix 5380 Hardware solutions / Firmware ControlLogix 5550 Hardware solutions / Firmware ControlLogix 5560 Hardware solutions / Firmware ControlLogix 5570 Hardware solutions / Firmware ControlLogix 5580 Hardware solutions / Firmware GuardLogix 5560 Hardware solutions / Firmware GuardLogix 5570 Hardware solutions / Firmware GuardLogix 5580 Hardware solutions / Firmware FlexLogix 1794-L34 Hardware solutions / Firmware DriveLogix 5730 Hardware solutions / Firmware SoftLogix 5800 Hardware solutions / Firmware
Vendor	Rockwell Automation

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Inclusion of Functionality from Untrusted Control Sphere

EUVDB-ID: #VU61791

Risk: High

CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-1161

CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to inclusion of functionality from untrusted control sphere. A remote attacker with the ability to modify a user program can change user program code on some control systems and execute arbitrary code on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

1768 CompactLogix: All versions

1769 CompactLogix: All versions

CompactLogix 5370: All versions

CompactLogix 5380: All versions

CompactLogix 5480: All versions

Compact GuardLogix 5370: All versions

Compact GuardLogix 5380: All versions

ControlLogix 5550: All versions

ControlLogix 5560: All versions

ControlLogix 5570: All versions

ControlLogix 5580: All versions

GuardLogix 5560: All versions

GuardLogix 5570: All versions

GuardLogix 5580: All versions

FlexLogix 1794-L34: All versions

DriveLogix 5730: All versions

SoftLogix 5800: All versions

CPE2.3

External links

http://ics-cert.us-cert.gov/advisories/icsa-22-090-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.