External risk intelligence

Rockwell Automation Software Authentication Bypass Vulnerability

CVE advisoryKnown Exploit

CVE-2021-22681

Rockwell Automation design software has a flaw allowing unauthorized access to Logix controllers. This affects various Rockwell controllers and could let attackers authenticate with them, posing a business risk to operations.

1Halo Surface Signal

Rockwellautomation Factorytalk Services Platform

2.10 and later16 to 2021.0 and later

External exposure likelihood

Halo Surface Signal score for CVE-2021-22681

The vulnerability affects industrial control systems (PLCs and design software) which are designed to operate within isolated industrial control network environments. These devices are typically not intended to be exposed to the public internet and are normally protected by multi-layered network segmentation and internal security controls.

Horizon Alert

Summary of the vulnerability and why it matters

Rockwell Automation's Studio 5000 Logix Designer and RSLogix 5000 software contain a flaw that allows unauthorized access to Logix controllers. This vulnerability affects a range of Rockwell controllers, including CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix. An attacker could bypass a verification mechanism to authenticate with these controllers. This could lead to unauthorized applications interacting with critical control systems.

Vulnerable Rockwell design software
Flaw bypasses controller verification
Unauthorized controller access and interaction

Attack Path

How an attacker could exploit the issue

Attackers can exploit a vulnerability in Rockwell Automation's Logix controllers, allowing them to bypass security measures. This could enable unauthorized applications to connect with Logix controllers, potentially leading to the manipulation or disruption of industrial processes. The attack requires an attacker to have network access to the affected controller.

Network access to controller required.
Attacker bypasses controller verification.
Unauthorized application connects to controller.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk to organizations utilizing Rockwell Automation's Logix controllers and associated design software. An unauthenticated attacker with network access could bypass security mechanisms, allowing them to authenticate with and potentially control critical industrial systems. This could lead to disruptions in operational technology (OT) environments, impacting production and potentially causing safety concerns. The widespread use of these products in industrial settings makes this a concerning issue for operational continuity and security.

Attacker skill: No specific skill level required.
Access needed: Network access to controllers.
Business risk: High impact to operations.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An unauthenticated attacker can bypass a verification mechanism in Rockwell Automation's Studio 5000 Logix Designer and RSLogix 5000 software. This allows unauthorized applications to connect with Logix controllers, posing a significant risk to operational technology systems. Organizations should prioritize identifying and securing these critical assets to mitigate potential business disruption and data compromise.

Find affected Rockwell controllers and software.
Reduce network exposure of identified assets.
Apply vendor fixes and validate the update.
Monitor for related security incidents.

Frequently asked questions

What is Rockwell Automation Studio 5000 Logix Designer and RSLogix 5000 software?

Studio 5000 Logix Designer and its predecessor, RSLogix 5000, are Rockwell Automation software applications used by automation engineers to program ControlLogix and CompactLogix programmable logic controllers (PLCs). These PLCs are foundational components in industrial automation systems, managing processes in manufacturing and production environments.

What type of vulnerability is CVE-2021-22681 and its weakness class?

CVE-2021-22681 represents an authentication bypass vulnerability, specifically classified under CWE-522. This weakness indicates that the credentials used for authentication are not adequately protected, potentially allowing unauthorized access.

How can an attacker exploit CVE-2021-22681 and what is the scope of impact?

An unauthenticated attacker with network access to a controller can exploit this vulnerability by bypassing a verification mechanism. This bypass allows an unauthorized application to authenticate with and connect to various Rockwell Logix controllers, potentially impacting industrial processes.

What is the relevance of CVE-2021-22681 for industrial control systems?

CVE-2021-22681 poses a significant risk to industrial control systems (ICS) that utilize Rockwell Automation's Logix controllers and design software. The vulnerability could lead to unauthorized access and control of critical operational technology (OT) environments, potentially disrupting production and affecting safety. This is especially concerning given the wide deployment of these systems in industrial settings.

What are the recommended practical steps for addressing CVE-2021-22681?

Organizations should identify all affected Rockwell controllers and software. It is crucial to reduce the network exposure of these assets, apply vendor-provided fixes, and validate any updates. Continuous monitoring for related security incidents is also recommended to ensure the integrity of operational technology systems.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.