Rockwell Automation Studio 5000 Logix Designer Improper Control of Generation of Code (CVE-2022-1159)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500631);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/31");

  script_cve_id("CVE-2022-1159");
  script_xref(name:"IAVB", value:"2024-B-0067");

  script_name(english:"Rockwell Automation Studio 5000 Logix Designer Improper Control of Generation of Code (CVE-2022-1159)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator
access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.   This
plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07");
  script_set_attribute(attribute:"see_also", value:"https://www.rockwellautomation.com/en-us/support/advisory.PN1586.html");
  # https://claroty.com/team82/research/hiding-code-on-rockwell-automation-plcs
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c944bfe");
  # https://www.rockwellautomation.com/en-us/support/advisory.PN1586.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?59e35533");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Rockwell Automation recommends users of the affected hardware and software take risk mitigation steps listed below.
Users are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive
defense-in-depth strategy.

There is no direct mitigation for this vulnerability in the Logix Designer application. However, a detection method is
available to determine if the user program residing in the controller is identical to what was downloaded. This user
program verification can be done by the following:

- On-demand using the Logix Designer application Compare Tool v9 or later
- Scheduled using FactoryTalk AssetCentre v12 or later user program verification (Available Fall 2022)

To leverage these detection capabilities, users are directed to upgrade to:

- Studio 5000 v34 software. or later
- Corresponding versions of Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 controller firmware.
- One of the following compare tools 
    - Logix Designer application Compare Tool v9 or later – installed with Studio 5000 Logix Designer
    - FactoryTalk AssetCentre v12 or later software (Available Fall 2022)

This user program comparison must be performed on an uncompromised workstation.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-1159");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/28");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compact_guardlogix_5380_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5380_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5480_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:controllogix_5580_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:guardlogix_5580_firmware");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Rockwell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Rockwell');

var asset = tenable_ot::assets::get(vendor:'Rockwell');

var vuln_cpes = {
    "cpe:/o:rockwellautomation:controllogix_5580_firmware" :
        {"family" : "ControlLogix5580"},
    "cpe:/o:rockwellautomation:guardlogix_5580_firmware" :
        {"family" : "GuardLogix5580"},
    "cpe:/o:rockwellautomation:compactlogix_5380_firmware" :
        {"family" : "CompactLogix5380"},
    "cpe:/o:rockwellautomation:compactlogix_5480_firmware" :
        {"family" : "CompactLogix5480"},
    "cpe:/o:rockwellautomation:compact_guardlogix_5380_firmware" :
        {"family" : "GuardLogix5380"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);