Rockwell Automation ISaGRAF5 Runtime (Update A)

Act Now9.1ICS-CERT ICSA-20-280-01Oct 6, 2020

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

ISaGRAF5 Runtime contains multiple vulnerabilities including improper input validation (CWE-23), inadequate credential management (CWE-256), unencrypted transmission of sensitive data (CWE-319), untrusted search path execution (CWE-427), and improper key management (CWE-321). Successful exploitation may result in remote code execution, information disclosure, or denial of service on affected Rockwell Micro800 controllers, GE ALSPA distributed control systems, AADvance Controllers, ISaGRAF Free Runtime, and Xylem MultiSmart devices. Rockwell Automation has not released patches for any affected products.

What this means

What could happen

An attacker who gains high-privilege access to engineering workstations could execute arbitrary code on ISaGRAF runtime controllers, potentially altering process setpoints, stopping operations, or stealing operational data on affected PLCs and distributed control systems in power generation and water/wastewater facilities.

Who's at risk

Energy utilities, power generation facilities (including GE Steam Power plants using ALSPA distributed control systems), and water/wastewater treatment operators using Rockwell Automation Micro800 controllers, AADvance controllers, Xylem MultiSmart Gen-1/Gen-2 devices, and any system running ISaGRAF runtime components should assess their exposure.

How it could be exploited

An attacker with engineering workstation credentials or high privilege access could exploit insufficient input validation (CWE-23), weak cryptography (CWE-319, CWE-321), or insecure deserialization (CWE-427) in the ISaGRAF runtime to inject malicious code that executes on the runtime controller with full system privileges.

Prerequisites

High privilege credentials for engineering workstation or engineering tools
Network access to the ISaGRAF runtime controller
Affected version of ISaGRAF runtime installed on target device
Ability to interact with runtime configuration or deployment interface

No patch available for any affected productHigh CVSS score (9.1) with broad impact scopeAffects safety and control systems in critical infrastructureRequires high privilege but no authentication complexityLow exploit complexity (CVSS AC:L)

Exploitability

Moderate exploit probability (EPSS 2.6%)

Affected products (5)

2 pending3 EOL

ProductAffected VersionsFix Status

GE reports that GE Steam Power's ALSPA S6 MFC3000 and MFC1000: (all versions) a distributed control system are impacted by vulnerabilities in Rockwell's ISaGRAF runtimeAll versionsNo fix yet

Xylem reports that MultiSmart Gen-1 devices and MultiSmart Gen-2 devices running firmware: prior to< 3.2.0No fix yet

AADvance Controller:≤ 1.40No fix (EOL)

ISaGRAF Free Runtime in ISaGRAF6 Workbench:≤ 6.6.8No fix (EOL)

Micro800 family: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGIsolate affected Micro800, AADvance Controller, and ISaGRAF Free Runtime devices from untrusted networks using network segmentation and firewalls

HARDENINGRestrict access to engineering workstations and programming interfaces to authorized personnel only; implement strong authentication and access controls

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unauthorized runtime modifications or configuration changes on affected controllers

WORKAROUNDEvaluate and deploy compensating controls such as host-based intrusion detection on engineering workstations

WORKAROUNDDisable ISaGRAF Free Runtime if not actively required; remove or upgrade to safe alternatives if possible

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: AADvance Controller:, ISaGRAF Free Runtime in ISaGRAF6 Workbench:, Micro800 family: all versions. Apply the following compensating controls:

HARDENINGReview Defense-in-Depth strategies published by CISA to implement layered security controls for ICS environments

CVEs (5)

CVE-2020-25176 CVE-2020-25184 CVE-2020-25178 CVE-2020-25182 CVE-2020-25180

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0af64437-167b-448d-811f-788e2d13d8a5