PN1567 | ISaGRAF Runtime Affected by Multiple Vulnerabilities

Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF^® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:

• AADvance^® Controller version 1.40 and earlier
• ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
• Micro800™  family, all versions

CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.

CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.

CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.

CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved.  A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Vulnerability	Affected Products	Suggested Mitigations
CVE-2020-25176	AADvance Controller ISaGRAF5 Runtime Micro800 family	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3 Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. For ISaGRAF, customers are encouraged to restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate vulnerability. For Micro800 family, to reduce risk, customers are encouraged to help protect the controller with a password. Additionally, customers deploying Micro870®, Micro850®, or Micro830® controllers are encouraged to put the controller's mode switch to "RUN". Customers are encouraged to restrict or block traffic on TCP 44818 from outside the industrial control system network zone. Customers should also confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .
CVE-2020-25178	AADvance Controller ISaGRAF5 Runtime Micro800 family	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25182	ISaGRAF5 Runtime	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25184	AADvance Controller ISaGRAF5 Runtime	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.
CVE-2020-25180	AADvance Controller ISaGRAF5 Runtime	To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances. For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.