Rockwell Automation ISaGRAF5 Runtime (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-20-280-01Oct 6, 2020

Rockwell AutomationSchneider ElectricMoxaEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

ISaGRAF5 Runtime contains multiple vulnerabilities including improper input validation (CWE-23), inadequate credential management (CWE-256), unencrypted transmission of sensitive data (CWE-319), untrusted search path execution (CWE-427), and improper key management (CWE-321). Successful exploitation may result in remote code execution, information disclosure, or denial of service on affected Rockwell Micro800 controllers, GE ALSPA distributed control systems, AADvance Controllers, ISaGRAF Free Runtime, and Xylem MultiSmart devices. Rockwell Automation has not released patches for any affected products.

What this means

What could happen

An attacker who gains high-privilege access to engineering workstations could execute arbitrary code on ISaGRAF runtime controllers, potentially altering process setpoints, stopping operations, or stealing operational data on affected PLCs and distributed control systems in power generation and water/wastewater facilities.

Who's at risk

Energy utilities, power generation facilities (including GE Steam Power plants using ALSPA distributed control systems), and water/wastewater treatment operators using Rockwell Automation Micro800 controllers, AADvance controllers, Xylem MultiSmart Gen-1/Gen-2 devices, and any system running ISaGRAF runtime components should assess their exposure.

How it could be exploited

An attacker with engineering workstation credentials or high privilege access could exploit insufficient input validation (CWE-23), weak cryptography (CWE-319, CWE-321), or insecure deserialization (CWE-427) in the ISaGRAF runtime to inject malicious code that executes on the runtime controller with full system privileges.

Prerequisites

High privilege credentials for engineering workstation or engineering tools
Network access to the ISaGRAF runtime controller
Affected version of ISaGRAF runtime installed on target device
Ability to interact with runtime configuration or deployment interface

No patch available for any affected productHigh CVSS score (9.1) with broad impact scopeAffects safety and control systems in critical infrastructureRequires high privilege but no authentication complexityLow exploit complexity (CVSS AC:L)

Exploitability

Some exploitation risk — EPSS score 3.5%

Affected products (19)

5 with fix2 pending12 EOL

ProductAffected VersionsFix Status

ioPAC 8500 and ioPAC 8600 Series (IEC Models) Controllers VulnerabilitiesAll versionsNo fix (EOL)

Easergy T300 <2.8.2≤ 2.8.2No fix (EOL)

PACiS GTW <5.2<5.2No fix (EOL)

Saitel DP <=11.06.21≤ 11.06.21No fix (EOL)

Saitel DR <=11.06.12≤ 11.06.12No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGIsolate affected Micro800, AADvance Controller, and ISaGRAF Free Runtime devices from untrusted networks using network segmentation and firewalls

HARDENINGRestrict access to engineering workstations and programming interfaces to authorized personnel only; implement strong authentication and access controls

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unauthorized runtime modifications or configuration changes on affected controllers

WORKAROUNDEvaluate and deploy compensating controls such as host-based intrusion detection on engineering workstations

WORKAROUNDDisable ISaGRAF Free Runtime if not actively required; remove or upgrade to safe alternatives if possible

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ioPAC 8500 and ioPAC 8600 Series (IEC Models) Controllers Vulnerabilities, Easergy T300 <2.8.2, PACiS GTW <5.2, Saitel DP <=11.06.21, Saitel DR <=11.06.12, Talus T4e RTU <A18, Schneider Electric Easergy C5, Schneider Electric MiCOM C264, Talus T4c RTU <A19.08, AADvance Controller:, ISaGRAF Free Runtime in ISaGRAF6 Workbench:, Micro800 family: all versions. Apply the following compensating controls:

HARDENINGReview Defense-in-Depth strategies published by CISA to implement layered security controls for ICS environments

CVEs (5)

CVE-2020-25176 CVE-2020-25184 CVE-2020-25178 CVE-2020-25182 CVE-2020-25180

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0af64437-167b-448d-811f-788e2d13d8a5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.