Revision Number
1.3
Executive Summary
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:
- AADvance® Controller version 1.32 and earlier
- ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
- Micro800™ family, all versions
Vulnerability Details
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.
CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.
CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.
CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.
CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved. A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.
CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
| Vulnerability | Affected Products | Suggested Mitigations |
| CVE-2020-25176 | AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller |
Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
| CVE-2020-25178 | AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller |
Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
| CVE-2020-25182 | ISaGRAF5 Runtime | Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. |
| CVE-2020-25184 | AADvance Controller ISaGRAF5 Runtime AADvance Eurocard controller |
Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
| CVE-2020-25180 | AADvance Controller
|
To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
General Security Guidelines
- Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
- Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
- Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
