ICSA-20-051-01_B&R Automation Studio and Automation Runtime

Plan PatchCVSS 9.4ICS-CERT ICSA-20-051-01Feb 20, 2020

B&R AutomationManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

B&R Automation Studio and Automation Runtime contain hardcoded SNMP credentials that cannot be changed due to product-technical limitations. An attacker with network access to the SNMP service (port 161) can use these default credentials to access and potentially modify system information and configuration on the controller. B&R has confirmed that older versions of both products are affected and states there are no technical means to change the SNMP credentials. Newer Automation Studio versions (4.6.5, 4.7.3, 4.8.2 and higher) will disable SNMP by default in newly created projects to reduce this risk. B&R recommends disabling SNMP if it is not required for operations.

What this means

What could happen

An attacker could use hardcoded SNMP credentials to remotely access B&R industrial controllers, potentially allowing them to read sensitive configuration data, modify process parameters, or disrupt operations.

Who's at risk

Manufacturing facilities using B&R Automation Studio and Automation Runtime controllers in PLCs and industrial automation systems. This affects engineers and plant operations who rely on these platforms for process control and monitoring.

How it could be exploited

An attacker with network access to an affected Automation Runtime controller can query the SNMP service using hardcoded default credentials. Once authenticated to SNMP, the attacker gains access to system information objects that may expose configuration details or allow modification of controlled parameters, depending on SNMP read/write permissions.

Prerequisites

Network access to port 161 (SNMP) on the Automation Runtime controller
Default SNMP credentials are unchanged and available in the controller's configuration

remotely exploitableno authentication required (default credentials)low complexityaffects industrial control systemsno patch available for older versions

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Automation Runtime:2.96 | 3.00 | 3.01 | 3.06 | 3.07 | ≥ 3.08 | ≤ 3.10 | ≥ 4.00 | ≤ 4.03 | ≥ 4.03 | ≤ 4.04 | ≥ 4.04 | ≤ 4.63 | ≥ 4.72No fix (EOL)

Automation Studio:2.7 | 3.0.71 | 3.0.80 | 3.0.81 | 3.0.90 | ≥ 4.0.x | ≤ 4.6.4 | 4.7.24.6.5, 4.7.3, 4.8.2+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the SNMP service on all Automation Runtime controllers if SNMP monitoring is not required for operations

HARDENINGRestrict network access to SNMP port 161 using firewall rules; allow only authorized management workstations to communicate with the controller on this port

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Automation Studio to version 4.6.5 or higher (4.7.3+ or 4.8.2+), which disables SNMP by default in new projects

Mitigations - no patch available

0/1

Automation Runtime: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Automation Runtime controllers from direct Internet access and locate them behind a firewall on a separate control network

CVEs (1)

CVE-2019-19108

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/645e026b-b6b5-45fa-9fed-b117dbaa5c9d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.