CVE-2022-1161
published 2022-04-11CVE-2022-1161: An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.01%
91.2th percentile
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | 1768_compactlogix_controllers | — | — |
| rockwell_automation | 1769_compactlogix_controllers | — | — |
| rockwell_automation | compact_guardlogix_5370_controllers | — | — |
| rockwell_automation | compact_guardlogix_5380_controllers | — | — |
| rockwell_automation | compactlogix_5370_controllers | — | — |
| rockwell_automation | compactlogix_5380_controllers | — | — |
| rockwell_automation | compactlogix_5480_controllers | — | — |
| rockwell_automation | controllogix_5550_controllers | — | — |
| rockwell_automation | controllogix_5560_controllers | — | — |
| rockwell_automation | controllogix_5570_controllers | — | — |
| rockwell_automation | controllogix_5580_controllers | — | — |
| rockwell_automation | drivelogix_5730_controllers | — | — |
| rockwell_automation | flexlogix_1794-l34_controllers | — | — |
| rockwell_automation | guardlogix_5560_controllers | — | — |
| rockwell_automation | guardlogix_5570_controllers | — | — |
| rockwell_automation | guardlogix_5580_controllers | — | — |
| rockwell_automation | softlogix_5800_controllers | — | — |
| rockwellautomation | factorytalk_policy_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code — monitor for discrepancies between the human-readable program and the compiled/executed code on the controller, which is the core indicator of exploitation. ↗
- →Monitor the controller change log for unexpected modifications or anomalous activity as a detection mechanism for unauthorized program changes. ↗
- →Use FactoryTalk AssetCenter software to detect unauthorized changes to controller programs. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication. ↗
- ·The vulnerability has a CVSS v3 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), meaning it is exploitable remotely with no authentication or user interaction required. ↗
- ·Exploitation requires an attacker to already have the ability to modify a user program on the affected controller — network access to the controller is the prerequisite. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j8wv-5g58-r5vh: The v6
ghsa_unreviewed·2024-07-16·CVSS 9.8
CVE-2024-6325 [CRITICAL] CWE-269 GHSA-j8wv-5g58-r5vh: The v6
The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html and CVE-2022-1161. https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html
GHSA
GHSA-7mvq-cv2x-gv8r: An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems
ghsa_unreviewed·2022-04-12
CVE-2022-1161 [CRITICAL] CWE-829 GHSA-7mvq-cv2x-gv8r: An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.
Red Hat
kernel: tpm: fix reference counting for struct tpm_chip
vendor_redhat·2025-02-26·CVSS 7.8
CVE-2022-49287 [HIGH] kernel: tpm: fix reference counting for struct tpm_chip
kernel: tpm: fix reference counting for struct tpm_chip
In the Linux kernel, the following vulnerability has been resolved:
tpm: fix reference counting for struct tpm_chip
The following sequence of operations results in a refcount warning:
1. Open device /dev/tpmrm.
2. Remove module tpm_tis_spi.
3. Write a TPM command to the file descriptor opened at step 1.
------------[ cut here ]------------
WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
refcount_t: addition on 0; use-after-free.
Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
snd_timer gene
CISA ICS
Rockwell Automation Logix Controllers
cisa_ics·2022-03-31·CVSS 10.0
[CRITICAL] Rockwell Automation Logix Controllers
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation Logix Controllers
Last RevisedMarch 31, 2022
Alert CodeICSA-22-090-05
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Logix Controllers
- Vulnerability: Inclusion of Functionality from Untrusted Control Sphere
## 2. RISK EVALUATION
Successful exploitation of this vulnerability may allow an attacker to modify user programs. A user could then unknowingly download those modified elements containing malicious code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Ro
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-11
Published