emb3d - tid-303

tid-303

Vulnerability from emb3d

Type

Link

Description

If device management is intended to be performed by a dedicated engineering software platform or integrated development environment (IDE), the threat actor could potentially modify the software platform, such as by manipulating key .dlls, to install malicious code or manipulate the operation of the device. This can provide the threat actor with a mechanism to bypass protections/countermeasures.

CWE

CWE-114: Process Control (Class)

CVE-2022-1159 (GCVE-0-2022-1159)

Vulnerability from cvelistv5

Published

2022-04-01 22:17

Modified

2025-04-16 17:57

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.

References

►

URL

Tags

https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Rockwell Automation	Studio 5000 Logix Designer	Version: All

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:55:24.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-1159",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T17:30:26.084154Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T17:57:50.739Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Studio 5000 Logix Designer",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov and Tal Keren of Claroty reported this vulnerability to Rockwell Automation."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-01T22:17:51.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07"
        }
      ],
      "source": {
        "advisory": "ICSA-22-090-07",
        "discovery": "UNKNOWN"
      },
      "title": "Rockwell Automation Studio 5000 Logix Designer Code Injection",
      "workarounds": [
        {
          "lang": "en",
          "value": "Rockwell Automation recommends users of the affected hardware and software take risk mitigation steps listed below. Users are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.\n\nThere is no direct mitigation for this vulnerability in the Logix Designer application. However, a detection method is available to determine if the user program residing in the controller is identical to what was downloaded. This user program verification can be done by the following:\n\nOn-demand using the Logix Designer application Compare Tool v9 or later\nScheduled using FactoryTalk AssetCentre v12 or later user program verification (Available Fall 2022)\nTo leverage these detection capabilities, users are directed to upgrade to:\n\nStudio 5000 v34 software. or later\nCorresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware.\nOne of the following compare tools\nLogix Designer application Compare Tool v9 or later \u2013 installed with Studio 5000 Logix Designer\nFactoryTalk AssetCentre v12 or later software (Available Fall 2022)\n\nThis user program comparison must be performed on an uncompromised workstation."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2022-1159",
          "STATE": "PUBLIC",
          "TITLE": "Rockwell Automation Studio 5000 Logix Designer Code Injection"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Studio 5000 Logix Designer",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "All"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Rockwell Automation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov and Tal Keren of Claroty reported this vulnerability to Rockwell Automation."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07",
              "refsource": "CONFIRM",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07"
            }
          ]
        },
        "source": {
          "advisory": "ICSA-22-090-07",
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Rockwell Automation recommends users of the affected hardware and software take risk mitigation steps listed below. Users are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.\n\nThere is no direct mitigation for this vulnerability in the Logix Designer application. However, a detection method is available to determine if the user program residing in the controller is identical to what was downloaded. This user program verification can be done by the following:\n\nOn-demand using the Logix Designer application Compare Tool v9 or later\nScheduled using FactoryTalk AssetCentre v12 or later user program verification (Available Fall 2022)\nTo leverage these detection capabilities, users are directed to upgrade to:\n\nStudio 5000 v34 software. or later\nCorresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware.\nOne of the following compare tools\nLogix Designer application Compare Tool v9 or later \u2013 installed with Studio 5000 Logix Designer\nFactoryTalk AssetCentre v12 or later software (Available Fall 2022)\n\nThis user program comparison must be performed on an uncompromised workstation."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2022-1159",
    "datePublished": "2022-04-01T22:17:51.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2025-04-16T17:57:50.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted