CVE-2022-1161

Q: What is the severity of CVE-2022-1161?

CVE-2022-1161 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows attackers with program modification access to alter user program code on Rockwell Automation ControlLogix, CompactLogix, and GuardLogix Control systems. The Studio 5000 Logix Designer stores user-readable code separately from executed compiled code, enabling attackers to change one without affecting the other. This affects industrial control systems using these specific Rockwell Automation controllers.

10.0 CRITICAL

📋 TL;DR

This vulnerability allows attackers with program modification access to alter user program code on Rockwell Automation ControlLogix, CompactLogix, and GuardLogix Control systems. The Studio 5000 Logix Designer stores user-readable code separately from executed compiled code, enabling attackers to change one without affecting the other. This affects industrial control systems using these specific Rockwell Automation controllers.

💻 Affected Systems

Products:

ControlLogix 5580
CompactLogix 5380
CompactLogix 5480
GuardLogix 5580

Versions: All versions prior to v34.11

Operating Systems: Not applicable - PLC firmware vulnerability

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Studio 5000 Logix Designer for program modification. Systems using these controllers with vulnerable firmware versions are affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial processes leading to physical damage, safety hazards, production shutdowns, or environmental incidents through malicious program modifications.

🟠

Likely Case

Unauthorized program changes causing production disruptions, quality issues, or equipment damage in industrial environments.

🟢

If Mitigated

Limited impact with proper access controls, network segmentation, and monitoring preventing unauthorized program modifications.

🌐 Internet-Facing: LOW - These systems are typically not directly internet-facing in industrial environments.

🏢 Internal Only: HIGH - Attackers with internal network access or compromised engineering workstations can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to modify user programs through Studio 5000 Logix Designer. No public exploit code available as of advisory publication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v34.11 or later

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1653.html

Restart Required: Yes

Instructions:

1. Download firmware v34.11 or later from Rockwell Automation. 2. Backup current program and configuration. 3. Update controller firmware using Studio 5000 Logix Designer. 4. Verify program functionality after update. 5. Restart controller if required.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate control system networks from business networks and restrict access to engineering workstations.

Access Control Enforcement

all

Implement strict access controls for Studio 5000 Logix Designer and program modification privileges.

🧯 If You Can't Patch

Implement network segmentation to isolate control systems from untrusted networks
Enforce strict access controls and monitoring for program modification activities

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version in Studio 5000 Logix Designer. Versions prior to v34.11 are vulnerable.

Check Version:

In Studio 5000 Logix Designer: Right-click controller → Properties → Controller → General tab → Firmware Revision

Verify Fix Applied:

Verify controller firmware version is v34.11 or later in Studio 5000 Logix Designer properties.

📡 Detection & Monitoring

Log Indicators:

Unauthorized program download attempts
Multiple program modification events
Firmware version changes

Network Indicators:

Unexpected communications to engineering workstations
Program download traffic outside maintenance windows

SIEM Query:

source="studio5000" AND (event="program_download" OR event="firmware_update") AND user NOT IN authorized_users

📊 Metadata

CVE ID: CVE-2022-1161

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-829

Published: April 11, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-05 Third Party Advisory,US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-05 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Compact Guardlogix 5370 Firmware by Rockwellautomation

Compact Guardlogix 5380 Firmware by Rockwellautomation

Compactlogix 1768 L43 Firmware by Rockwellautomation

Compactlogix 1768 L45 Firmware by Rockwellautomation

Compactlogix 1769 L31 Firmware by Rockwellautomation

Compactlogix 1769 L32c Firmware by Rockwellautomation

Compactlogix 1769 L32e Firmware by Rockwellautomation

Compactlogix 1769 L35cr Firmware by Rockwellautomation

Compactlogix 1769 L35e Firmware by Rockwellautomation

Compactlogix 5370 L1 Firmware by Rockwellautomation

Compactlogix 5370 L2 Firmware by Rockwellautomation

Compactlogix 5370 L3 Firmware by Rockwellautomation

Compactlogix 5380 Firmware by Rockwellautomation

Compactlogix 5480 Firmware by Rockwellautomation

Controllogix 5550 Firmware by Rockwellautomation

Controllogix 5560 Firmware by Rockwellautomation

Controllogix 5570 Firmware by Rockwellautomation

Controllogix 5580 Firmware by Rockwellautomation

Drivelogix 5730 Firmware by Rockwellautomation

Flexlogix 1794 L34 Firmware by Rockwellautomation

Guardlogix 5560 Firmware by Rockwellautomation

Guardlogix 5570 Firmware by Rockwellautomation

Guardlogix 5580 Firmware by Rockwellautomation

Softlogix 5800 Firmware by Rockwellautomation