ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools

Act Now9.1SEVD-2021-159-04Jun 8, 2021

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

ISaGRAF Workbench and ISaGRAF Runtime contain multiple vulnerabilities allowing unauthorized access, privilege escalation, and remote code execution. ISaGRAF is embedded in programming tools and embedded controllers from Rockwell Automation and Schneider Electric used to create and execute IEC 61131-3 control logic on RTUs and industrial devices. Successful exploitation could allow an attacker to execute arbitrary actions on affected devices, including accessing sensitive information, elevating privileges, and running remote code that alters process control behavior. Multiple Schneider Electric and Rockwell Automation products embedding ISaGRAF are affected. Some products will not receive patches.

What this means

What could happen

An attacker with high privileges could execute remote code on engineering workstations or RTUs running ISaGRAF, potentially altering control logic, stopping operations, or extracting sensitive system configurations. Affected devices include remote terminal units (RTUs) and SCADA programming tools used in energy and manufacturing environments.

Who's at risk

Energy and manufacturing operators using Rockwell Automation and Schneider Electric RTUs (remote terminal units) for SCADA and process control, specifically those running embedded ISaGRAF Runtime for IEC 61131-3 control logic. Affected products include Easergy, PACiS, Saitel, Talus, SCADAPack, SAGE, SCD2200, and MiCOM devices. Engineering teams using ISaGRAF Workbench to program these devices are also at risk.

How it could be exploited

An attacker with valid engineering workstation credentials and network access to the ISaGRAF Runtime ports (1131, 1113) could send malicious commands through the ISaGRAF protocol to execute arbitrary code on the embedded controller. Alternatively, if the attacker can access the engineering workstation used to program RTUs, they could inject malicious IEC 61131-3 code that executes on deployed devices when the program is downloaded.

Prerequisites

High-level user account on engineering workstation or RTU with ISaGRAF Runtime enabled
Network access to ISaGRAF ETCP ports 1131 and 1113 (typically restricted to engineering subnets)
ISaGRAF must be configured and running on the affected device
For some products, physical access to install updated firmware

Remotely exploitable via ISaGRAF ETCP protocolRequires high-level credentials or compromised engineering workstationLow complexity attack if network access is availableAffects embedded safety logic and control setpointsNo fix available for multiple products (Easergy T300, PACiS GTW, Saitel DP/DR, Talus T4e/T4c, Easergy C5, MiCOM C264)

Exploitability

Moderate exploit probability (EPSS 2.6%)

Affected products (13)

5 with fix8 EOL

ProductAffected VersionsFix Status

Easergy T300 <2.8.2≤ 2.8.2No fix (EOL)

PACiS GTW <5.2<5.2No fix (EOL)

Saitel DP <=11.06.21≤ 11.06.21No fix (EOL)

Saitel DR <=11.06.12≤ 11.06.12No fix (EOL)

SCADAPack E <8.18.1<8.18.18.19.1

SCADAPack Workbench <6.6.8<6.6.88.19.1

SAGE RTU - C3414 CPU <C3414-500-S02K5_P5<C3414-500-S02K5 P5C3414-500-S02K5_P5

SAGE RTU - C3413 CPU C3412 CPU All Firmware VersionsAll versionsC3414-500-S02K5_P5

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDFor SAGE RTU running firmware C3414-500-S02K2 or above: use built-in firewall to block inbound traffic to ISaGRAF ports 1131 and 1113 when debugger is not in use with rules: 'block in proto tcp from any to any port = 1131' and 'block in proto tcp from any to any port = 1113'

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SCD2200 firmware to V9.1.0 or later (14942) which includes ISaGRAF Workbench V6.6.9; reboot RTU after upgrade

HOTFIXUpgrade SCADAPack E to version 8.19.1 and SCADAPack Workbench to version 8.19.1; reboot RTU after upgrade

HOTFIXUpgrade SAGE RTU CPU 3414 firmware to version C3414-500-S02K5_P5; reboot RTU after upgrade

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Easergy T300 <2.8.2, PACiS GTW <5.2, Saitel DP <=11.06.21, Saitel DR <=11.06.12, Talus T4e RTU <A18, Schneider Electric Easergy C5, Schneider Electric MiCOM C264, Talus T4c RTU <A19.08. Apply the following compensating controls:

HARDENINGFor Talus T4e and T4c RTUs: implement network access controls to restrict connectivity to ISaGRAF ports; contact vendor for mitigation guidance

HARDENINGLocate industrial control systems and RTUs behind firewalls; prevent mission-critical devices from being accessed from outside your network

HARDENINGImplement physical access controls to prevent unauthorized access to engineering workstations and RTU equipment

CVEs (5)

CVE-2020-25176 CVE-2020-25178 CVE-2020-25182 CVE-2020-25184 CVE-2020-25180

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4bc6e7b1-75ec-4338-be75-74a0b38e78fa