Governance & Risk Management , Operational Technology (OT)
Rockwell Automation PLC Software Contains RCE Flaw
Attackers Could Shut Down Operations Or Cause Physical DamageA severe vulnerability in Rockwell Automation software used to configure programmable logic controllers could allow attackers to remotely execute malicious code.
See Also: The Forrester Wave™: Operational Technology Security Solutions, Q2 2024
The flaw in Rockwell Automation-owned Allen-Bradley RSLogix 5 and RSLogix 500 software stems from insufficient verification of data that could allow attackers to perform remote code execution by injecting malicious code into project files, potentially compromising entire production systems.
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday said the flaw allows malicious actors to execute remote code by embedding Visual Basic for Applications scripts in project files, which are automatically executed on opening. The vulnerability was caused by insufficient verification of data authenticity.
The lack of data authenticity verification means attackers can trick legitimate users into running malicious scripts, leading to attackers having remote control over affected systems. Attackers could potentially shut down operations, modify processes or even cause physical damage by altering operational commands.
The vulnerability, tracked as CVE-2024-7847, is rated 8.8 on the CVSS v4 scale. CISA advised immediate patching. The flaw affects all versions of RSLogix 5 and RSLogix 500, as well as related products such as RSLogix Micro Developer and Starter.
"Rockwell PLCs are ubiquitous in the U.S. manufacturing industry from automotive plants to pharmaceutical plants to food and beverage plans," said Larry O'Brien, vice president, research at Arc Advisory Group. The RSLogix 5 and RSLogix 500 software are used to configure older generation PLCs, O'Brien said.* Aging software and devices are highly common in manufacturing, where control systems are seen more as an industrial asset than an IT component needing constant attention.
"This is something I'd definitely want to address as soon as there's an opportunity. Most likely, we can address it pretty soon because it's the programing software" rather than the PLC itself that contains the flaw, he told Information Security Media Group.
Manufacturers are only likely to boot up PLC programming software when they need to make a change to automated processes on the factory floor. Still, patching can be easier said than done, since most manufacturers have a diverse install base of automation products, O'Brien said.
*Correction Sept. 24, 2024 14:54 UTC: The RSLogix 5 and RSLogix 500 are used to configure older generation PLCs and not, as mistakenly reported, older generation applications.