Critical Bugs in Rockwell, Johnson Controls ICS Gear

rockwell, johnson controls ics bugs

Bugs affecting programmable logic controllers (PLC) and physical access-control systems for facilities are rated 9.8 in severity.

Security vulnerabilities that require very little skill to exploit have been discovered in industrial control systems (ICS) gear from Rockwell Automation and Johnson Controls, which anchor a flurry of bug disclosures impacting critical infrastructure.

First, a set of critical vulnerabilities in Rockwell Automation gear affect MicroLogix 1400 Controllers, MicroLogix 1100 Controllers and RSLogix 500 Software. The controllers are programmable logic controllers (PLCs), which are key pieces of equipment in environments such as electric utilities and factories. They control the physical machinery footprint in factory assembly lines and other industrial environments.

The bugs could allow an attacker to gain access to sensitive project file information, including passwords. Rating 9.8 out of 10 on the CVSS v3 severity scale, the bugs include the use of hard-coded cryptographic key; use of a broken or risky algorithm for password protection; use of client-side authentication; and cleartext storage of sensitive information.

The first bug (CVE-2020-6990) arises from the cryptographic key being utilized to help protect the account password being hard-coded into the RSLogix 500 binary file.

“An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller,” according to the advisory, issued on Tuesday.

Further, the cryptographic function used to protect the password in MicroLogix is discoverable (CVE-2020-6984), the advisory noted.

The authentication issue (CVE-2020-6988) allows a remote, unauthenticated attacker to send a request from the RSLogix 500 software to the victim’s MicroLogix controller: “The controller will then respond to the client with used password values to authenticate the user on the client-side,” according to the advisory. “This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.”

And finally, the cleartext storage bug (CVE-2020-6980) exists in an email function. If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies, as well as Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab, were credited with finding the bug.

Users of MicroLogix 1400 series B controllers and RSLogix 500 software can update to the latest version to mitigate the issues; but, Rockwell Automation said that there are no mitigations for MicroLogix 1400 series A controllers or MicroLogix 1100 controllers. Threatpost has reached out for further information.

The other critical ICS vulnerability disclosed this week exists in Johnson Controls’ Kantech EntraPass product, which is a physical security door platform used for access control at industrial environments. Also carrying a severity rating of 9.8, the issue is an improper input validation bug (CVE-2019-7589).

“Successful exploitation of this vulnerability could allow malicious code execution with system-level privileges,” according to the advisory, also released Tuesday. “An API may allow an attacker to upload and execute malicious code with system-level privileges.” A successful exploit could give a cybercriminal the ability to allow or disallow access to facilities.

All Corporate Edition versions prior to v8.10 and all Global Edition versions prior to v8.10 are affected by the bug, which was discovered by Johnson Controls’ internal security team. Users should update to EntraPass Version 8.10 to address the problem.

Several other lower-severity ICS bugs were revealed on Tuesday, including issues in Siemens SiNVR 3; SIMATIC S7-300 CPUs and SINUMERIK Controller over Profinet; Siemens Spectrum Power 5; and Johnson Controls Metasys. Siemens also updated several older advisories. The full list of updates is available from ICS-CERT.

ICS is snagging an increased spotlight from security researchers and the federal government. For instance, critical infrastructure will be a main focus for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this year, it recently announced.

That’s because attacks are increasing in the sector. As an example, the bug disclosures come as the European Network of Transmission System Operators for Electricity (ENTSO-E), which represents electricity transmission system operators across dozens of European nations, announced that its IT network was breached, impacting an estimated 42 grid operators across 35 European countries.

“This is a strategic move by the adversary to focus on a centralized target in order to impact multiple European electrical grids at the same time,” said Phil Neray, vice president of industrial cybersecurity for CyberX, via email. “Compromising IT networks is simply the first step in gaining access to operational technology.”

Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.


Suggested articles