Hard-Coded Key Vulnerability in Logix PLCs has Severity Score of 10 Out of 10
upstart writes in with an IRC submission:
Hard-coded key vulnerability in Logix PLCs has severity score of 10 out of 10:
Hardware that is widely used to control equipment in factories and other industrial settings can be remotely commandeered by exploiting a newly disclosed vulnerability that has a severity score of 10 out of 10.
The vulnerability is found in programmable logic controllers from Rockwell Automation that are marketed under the Logix brand. These devices, which range from the size of a small toaster to a large bread box or even bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs using Rockwell software called Studio 5000 Logix Designer.
On Thursday, the US Cybersecurity & Infrastructure Security Administration [(CISA)] warned of a critical vulnerability that could allow hackers to remotely connect to Logix controllers and from there alter their configuration or application code. The vulnerability requires a low skill level to be exploited, CISA said.
The vulnerability, which is tracked as CVE-2021-22681, is the result of the Studio 5000 Logix Designer software making it possible for hackers to extract a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and verifies communication between the two devices. A hacker who obtained the key could then mimic an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.
[...] Rockwell isn't issuing a patch that directly addresses the problems stemming from the hard-coded key. Instead, the company is recommending that PLC users follow specific risk mitigation steps. The steps involve putting the controller mode switch into run, and if that's not possible, following other recommendations that are specific to each PLC model.
[...] Claroty has issued its own writeup here.
Read more of this story at SoylentNews.