Security news that informs and inspires

CISA Warns of Serious Flaws in Rockwell Automations PLCs

There is a serious vulnerability in the firmware that runs on several Rockwell Automation industrial controllers that could allow a remote attacker to disrupt the operation of a vulnerable controller.

The vulnerability (CVE-2022-3752) is a denial-of-service flaw in a number of Rockwell’s controllers, including CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix. The controllers are deployed in a range of industries, including manufacturing and other industrial settings, and run embedded Windows. The controllers have a variety of functionality and Rockwell Automation has released updated firmware for each of the affected controllers.

“An unauthorized user could use a specially crafted sequence of Ethernet and IP messages and combine them with heavy traffic loading to cause a denial-of-service condition in Rockwell Automation Logix controllers, resulting in a denial-of-service condition. If the target device becomes unavailable in this condition, a user would have to clear and redownload the user project file to bring the device back online,” an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) says.

The vulnerable controllers are the CompactLogix 5380 firmware versions 31.011 and later, Compact GuardLogix 5380 versions 31.011 and later, CompactLogix 5480 versions 32.011 and later, ControlLogix 5580 versions 31.011 and later, and GuardLogix 5580 versions 31.011 and later. The company has released firmware updates for each of these.

CISA also issued an advisory about a SQL injection vulnerability in the Advantech iView management software that’s used for remote management. Researchers at Tenable discovered the vulnerability and an exploit for it is publicly available.

“The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password,” the Tenable advisory says.

Tenable first disclosed the flaw in September.