Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk

ics critical flaw

A critical Rockwell Automation flaw could be exploited to manipulate an industrial drive’s physical process and or even stop it.

A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.

The vulnerability was identified in Rockwell Automation’s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks.

The flaw, CVE-2018-19282, could be exploited to manipulate the drive’s physical process and or stop it, according to researchers with Applied Risk who found it. The vulnerability has a CVSS score of 9.1, making it critical, according to researchers.

“This finding allows an attacker to crash the Common Industrial Protocol (CIP) in a way that it does not accept any new connection,” Nicholas Merle, with Applied Risk, wrote in a Thursday analysis (PDF). “The current connections however, are kept active, giving attackers complete control over the device.”

The vulnerability is critical because it gives “complete access to the device and DOS for the other users,” an Applied Risk spokesperson told Threatpost. “So availability and integrity are impacted, with no confidentiality impact. Those are also the most important factors in OT environment.” 

For a variable frequency drive, which controls the speed of motors in a live production environment, that kind of shutdown could have a serious impact. There are no known public exploits that target this vulnerability, researchers said. Impacted were versions 5.001 and older for the software.

To exploit the vulnerability, a bad actor could send a precise sequence of packets effectively crashing the Common Industrial Protocol (the industrial protocol for industrial automation applications) network stack. An Applied Risk spokesperson told Threatpost that an attacker could be remote and wouldn’t need to be authenticated.

drive industrial Rockwell automation

Rockwell Automation Powerflex 525

This creates an error in the control and configuration software, which crashes. After it crashes, it is not possible to initiate a new connection to the device, effectively forbidding any legitimate user to recover control, researchers said.

If the attacker maintains the connection used to send the payload open, he can continue sending commands as long as the connection is not interrupted, and the only way to recover access to the device is to do a power reset, researchers said. 

“Sending a specific UDP packet, a definite amount of time corrupts the… daemon forbidding any new connection to be initiated and disconnecting the configuration and control software from Rockwell Automation,” said researchers.

The flaw was first discovered July 30, 2018 and has since been patched. Rockwell Automation did not respond to a request for comment from Threatpost.

Vulnerabilities are particularly insidious when they impact industrial control systems because of the high-risk implications. According to a U.S. Department of Homeland Security bulletin the bug (CVE-2018-19282) the vulnerability is a threat to U.S. critical infrastructure.  Downtime for these systems could pose dire monetary – and in some cases even life-threatening – risks.

Rockwell Automation isn’t the only industrial control system manufacturer facing security woes. In February, Siemens released 16 security advisories for various industrial control and utility products, including a warning for a critical flaw in the WibuKey digital rights management (DRM) solution that affects the SICAM 230 process control system.

And in August, Schneider Electric released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products.

Suggested articles