CVE-2022-1667
📋 TL;DR
CVE-2022-1667 allows attackers to bypass client-side JavaScript controls and reboot Programmable Logic Controllers (PLCs) by directly executing JavaScript functions or accessing vulnerable PHP scripts. This affects industrial control systems using specific PLC web interfaces where authentication can be bypassed. The vulnerability enables unauthorized system reboots that could disrupt industrial operations.
💻 Affected Systems
- Rockwell Automation ControlLogix, CompactLogix, GuardLogix PLCs
📦 What is this software?
Sepcos Control And Protection Relay Firmware by Secheron
View all CVEs affecting Sepcos Control And Protection Relay Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of industrial processes leading to production downtime, equipment damage, or safety incidents due to unauthorized PLC reboots during critical operations.
Likely Case
Temporary disruption of industrial processes causing production delays and requiring manual intervention to restore normal operations.
If Mitigated
Minimal impact with proper network segmentation, authentication controls, and monitoring in place to detect and prevent unauthorized access attempts.
🎯 Exploit Status
Exploitation requires network access to the PLC web interface but no authentication. Attack can be performed from browser console or via direct script access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Rockwell Automation security advisory for specific firmware versions
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.html
Restart Required: Yes
Instructions:
1. Review Rockwell Automation security advisory ICSA-22-174-03. 2. Identify affected PLC models and firmware versions. 3. Apply firmware updates as specified by vendor. 4. Restart PLCs after patching. 5. Verify web interface functionality post-update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs from untrusted networks and implement strict firewall rules
Web Interface Disablement
allDisable web interfaces on PLCs if not required for operations
🧯 If You Can't Patch
- Implement strict network access controls to limit PLC web interface access to authorized personnel only
- Deploy network monitoring and intrusion detection systems to alert on unauthorized access attempts to PLC interfaces
🔍 How to Verify
Check if Vulnerable:
Check if PLC web interface is accessible and test if JavaScript reboot functions can be executed without authentication via browser consoleCheck Version:
Check PLC firmware version via web interface or programming software (specific commands vary by PLC model)Verify Fix Applied:
Verify firmware version matches patched versions in vendor advisory and test that reboot functions now require proper authentication📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to PLC web interface
- Multiple reboot commands in short timeframe
- Access from unexpected IP addresses
Network Indicators:
- HTTP requests to PLC reboot scripts or functions
- Traffic to PLC web interfaces from unauthorized networks
SIEM Query:
source_ip NOT IN (authorized_ips) AND (url CONTAINS 'reboot' OR url CONTAINS 'plc_control') AND destination_ip IN (plc_ips)