CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
41.5%
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500630);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");
script_cve_id("CVE-2022-1161");
script_xref(name:"ICSA", value:"22-090-05");
script_name(english:"Rockwell Automation Logix Controllers Inclusion of Functionality From Untrusted Control Sphere (CVE-2022-1161)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"An attacker with the ability to modify a user program may change user
program code on some ControlLogix, CompactLogix, and GuardLogix
Control systems. Studio 5000 Logix Designer writes user-readable
program code to a separate location than the executed compiled code,
allowing an attacker to change one and not the other.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-05");
script_set_attribute(attribute:"see_also", value:"https://www.rockwellautomation.com/en-us/support/advisory.PN1585.html");
# https://claroty.com/team82/research/hiding-code-on-rockwell-automation-plcs
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c944bfe");
# https://www.rockwellautomation.com/en-us/support/advisory.PN1585.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0526e5e");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Users using the affected software or controllers are directed towards the risk mitigation steps listed below and are
encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-
depth strategy.
The following mitigations should be applied for ControlLogix 5560, ControlLogix 5570, ControlLogix 5580 series,
GuardLogix 5570, GuardLogix 5580, GuardLogix 5380, CompactLogix, CompactLogix 5380 devices:
Risk Mitigation A:
- Recompile and download user program code (i.e., acd).
- Put controller mode switch into Run position.
If keeping controller mode switch in Run is impractical, use the following mitigation:
- Recompile and download user program code (i.e., acd).
- Monitor controller change log for any unexpected modifications or anomalous activity.
- Utilize the Controller Log feature.
- Utilize Change Detection in the Logix Designer Application.
- If available, use the functionality in FactoryTalk AssetCenter software to detect changes.
Risk Mitigation B:
Implement CIP Security to help prevent unauthorized connections when properly deployed. Supported controllers and
communications modules include:
- ControlLogix 5580 processors using on-board EtherNet/IP port.
- GuardLogix 5580 processors using on-board EtherNet/IP port.
- ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR
- ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR
ControlLogix EtherNet/IP module.
- If using a 1756-EN2T, then replace with a 1756-EN4TR
- CompactLogix 5380 using on-board EtherNet/IP port.
- CompactLogix GuardLogix 5380 using on-board EtherNet/IP port.
The following mitigations should be applied for 1768 CompactLogix, 1769 CompactLogix, CompactLogix 5370, and
CompactLogix 5480 devices:
- Recompile and download user program code (i.e., acd).
- Put controller mode switch into Run position.
If keeping controller mode switch in Run is impractical, then use the following mitigation:
- Recompile and download user program code (i.e., acd).
- Monitor controller change log for any unexpected modifications or anomalous activity.
- Use the Controller Log feature.
- Use Change Detection in the Logix Designer application.
- If available, use the functionality in FactoryTalk AssetCenter to detect changes.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-1161");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(829);
script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/11");
script_set_attribute(attribute:"patch_publication_date", value:"2022/04/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compact_guardlogix_5370_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compact_guardlogix_5380_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1768-l43_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1768-l45_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1769-l31_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1769-l32c_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1769-l32e_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1769-l35cr_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_1769-l35e_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5380_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5480_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5550_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5560_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5570_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5580_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:drivelogix_5730_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:flexlogix_1794-l34_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5560_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5570_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5580_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:softlogix_5800_firmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Rockwell");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Rockwell');
var asset = tenable_ot::assets::get(vendor:'Rockwell');
var vuln_cpes = {
"cpe:/o:rockwellautomation:compactlogix_1768-l43_firmware" :
{"family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:compactlogix_1768-l45_firmware" :
{"family" : "CompactLogix5340"},
"cpe:/o:rockwellautomation:compactlogix_1769-l31_firmware" :
{"family" : "CompactLogix5330"},
"cpe:/o:rockwellautomation:compactlogix_1769-l32c_firmware" :
{"family" : "CompactLogix5330"},
"cpe:/o:rockwellautomation:compactlogix_1769-l32e_firmware" :
{"family" : "CompactLogix5330"},
"cpe:/o:rockwellautomation:compactlogix_1769-l35cr_firmware" :
{"family" : "CompactLogix5330"},
"cpe:/o:rockwellautomation:compactlogix_1769-l35e_firmware" :
{"family" : "CompactLogix5330"},
"cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware" :
{"family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware" :
{"family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware" :
{"family" : "CompactLogix5370"},
"cpe:/o:rockwellautomation:compactlogix_5380_firmware" :
{"family" : "CompactLogix5380"},
"cpe:/o:rockwellautomation:compactlogix_5480_firmware" :
{"family" : "CompactLogix5480"},
"cpe:/o:rockwellautomation:compact_guardlogix_5370_firmware" :
{"family" : "GuardLogix5370"},
"cpe:/o:rockwellautomation:compact_guardlogix_5380_firmware" :
{"family" : "GuardLogix5380"},
"cpe:/o:rockwellautomation:controllogix_5550_firmware" :
{"family" : "ControlLogix5550"},
"cpe:/o:rockwellautomation:controllogix_5560_firmware" :
{"family" : "ControlLogix5560"},
"cpe:/o:rockwellautomation:controllogix_5570_firmware" :
{"family" : "ControlLogix5570"},
"cpe:/o:rockwellautomation:controllogix_5580_firmware" :
{"family" : "ControlLogix5580"},
"cpe:/o:rockwellautomation:guardlogix_5560_firmware" :
{"family" : "GuardLogix5560"},
"cpe:/o:rockwellautomation:guardlogix_5570_firmware" :
{"family" : "GuardLogix5570"},
"cpe:/o:rockwellautomation:guardlogix_5580_firmware" :
{"family" : "GuardLogix5580"},
"cpe:/o:rockwellautomation:flexlogix_1794-l34_firmware" :
{"family" : "FlexLogix"},
"cpe:/o:rockwellautomation:drivelogix_5730_firmware" :
{"family" : "DriveLogix"},
"cpe:/o:rockwellautomation:softlogix_5800_firmware" :
{"family" : "SoftLogix5800"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
41.5%