CVE-2022-1161 An attacker with the ability to modify a user program may change code on Control, CompactLogix, and GuardLogix Control systems.

This can allow an attacker to alter the program logic and potentially cause a system to crash, produce unexpected results, or leak sensitive data. Control system programmers should be aware of the fact that user-readable program code is written to memory locations other than where the compiled code runs, and to keep that in mind when writing code. Control system programmers should also be aware that these systems are not as secure as they seem.

System Boundary Conditions

Before designing a control system, it is important to understand the physical and logical boundaries of the system. A control system typically consists of three different parts: hardware, software, and programmers. The software part is what the user interacts with. The hardware part is what offers the underlying capabilities for the software to work, like communication between devices and computing power. The programmers are the ones who wrote the code for the control system.

The programming language that was written for this project was C#. There were several reasons why this was chosen, one being that C# has more structure than other languages and another being that it is object-oriented and therefore easier to reuse code across a number of projects. One of the main dangers posed by this project lies in boundary conditions where a programmer may not consider all possible scenarios when writing code because they have no way of knowing how many bugs there could be. If a boundary condition exists in this program or in any other program written by programmers using any programming language, then an attacker can alter program logic or cause unexpected results or data leaks when used on systems outside of what they were intended to be used on

Vulnerabilities and Exposures

Vulnerabilities and exposures are found in both the compiled code from a compiler and in the user-readable code.
When writing the compiled code, control system programmers should be aware of what memory locations variables are written to. They should also know where these variables will be read from when the program is running, so that they can make sure that these values are not being tampered with by an attacker.
In regards to user-readable code, control system programmers should ensure that this code only gets stored on execution memory space and never into data memory. They should also keep in mind that many of these programs can have multiple threads of execution, meaning there is potential for one thread to write their value before another thread reads it. Because of this, they should make sure that their values are read in the correct order, otherwise an attacker could cause the program to crash or leak sensitive information on purpose.

Timeline

Published on: 04/11/2022 20:15:00 UTC
Last modified on: 04/18/2022 14:23:00 UTC

References