External risk intelligence

Rockwell Automation Controllers and Software Vulnerable to Unauthorized Access

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2020-6990

A vulnerability in Rockwell Automation controllers and software could allow unauthorized remote access to controllers if an attacker discovers an embedded cryptographic key. This impacts operational technology systems and poses a risk to business operations.

1Halo Surface Signal

Rockwellautomation Micrologix 1400 A Firmware

21.001 and earlier12.001 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2020-6990

The vulnerability affects industrial control systems (PLCs) and engineering software used to manage them. These devices and their associated management software are typically deployed within isolated, segmented operational technology (OT) networks and are not intended for or typically exposed to the public internet.

PCI scan relevance

PCI Relevance for CVE-2020-6990

Yes

CVE-2020-6990 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthorized access due to hard-coded credentials, which would likely cause a PCI ASV external scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

The identified Rockwell Automation products contain a flaw related to how account passwords are protected. The cryptographic key used for password protection is embedded directly within the software. This embedded key could be discovered by an attacker, potentially enabling them to conduct further attacks and gain unauthorized remote access to the controller. This could lead to a compromise of critical operational systems.

Rockwell Automation MicroLogix controllers and RSLogix 500 software
Embedded cryptographic key can be discovered
Unauthorized remote access to controllers

Attack Path

How an attacker could exploit the issue

The cryptographic key used to protect account passwords is hardcoded within the RSLogix 500 software. An attacker could discover these keys and exploit them to perform further cryptographic attacks. This could allow a remote attacker to gain unauthorized access to the controller.

The cryptographic key is exposed.
An attacker identifies the key.
Unauthorized access to the controller results.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability affects specific Rockwell Automation industrial control systems and software. Attackers with advanced skills could exploit a weakness in how account passwords are protected. This could potentially allow unauthorized remote access to control system functions, posing a significant risk to operational integrity.

Likely attacker skill level: Advanced.
Required access or conditions: Network access.
Business risk or urgency: Significant operational risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Rockwell Automation MicroLogix controllers and RSLogix 500 software. Attackers can exploit a hardcoded cryptographic key to gain unauthorized access to controllers, potentially leading to system compromise. This could affect operational technology systems, employee access, and business operations.

Identify affected controllers and software.
Restrict network access to controllers.
Apply vendor updates and monitor systems.

Frequently asked questions

What are Rockwell Automation MicroLogix controllers and RSLogix 500 software?

Rockwell Automation MicroLogix controllers are programmable logic controllers (PLCs) used in industrial automation for managing and controlling machinery and processes. RSLogix 500 is the software used by engineers to program, configure, and troubleshoot these controllers.

What is the weakness class for CVE-2020-6990?

This vulnerability is classified under CWE-321, "Use of Hard-coded Cryptographic Key," and CWE-798, "Use of Hard-coded Credentials." This means the key used to protect passwords is built directly into the software, making it discoverable.

How could an attacker exploit CVE-2020-6990?

An attacker could discover the hard-coded cryptographic key within the RSLogix 500 software. With this key, they could perform further cryptographic attacks to gain unauthorized remote access to the controller.

What is the relevance of Halo Surface Signal's assessment for CVE-2020-6990?

Halo Surface Signal assesses this vulnerability as 'Very unlikely' to be exploited externally. This is because the affected systems, industrial control systems (PLCs) and their management software, are typically isolated within operational technology (OT) networks and not exposed to the public internet.

What steps should be taken in response to this vulnerability?

Identify all affected Rockwell Automation MicroLogix controllers and RSLogix 500 software. It is crucial to restrict network access to these controllers. Apply any vendor-provided updates and continuously monitor affected systems for suspicious activity.

References

www.us-cert.gov/ics/advisories/icsa-20-070-06

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.