ISaGRAF Workbench for SAGE RTU
Monitor6.1SEVD-2022-284-03Oct 10, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
ISaGRAF Workbench software bundled with Schneider Electric SAGE RTU devices contains multiple vulnerabilities that allow remote code execution and privilege escalation. SAGE RTU hardware devices collect and relay utility substation data to SCADA platforms. The vulnerability can only be exploited when TCP listening ports on the RTU are open and an attacker connects with ISaGRAF Workbench. Successful exploitation may grant an attacker SYSTEM-level privileges on the RTU, allowing them to disrupt substation data collection and SCADA integration.
What this means
What could happen
An attacker with access to open TCP ports on the SAGE RTU could exploit path traversal vulnerabilities in ISaGRAF Workbench to execute arbitrary code on the device. If the RTU software runs as SYSTEM, the attacker gains full administrative control of the device, disrupting utility substation data collection and SCADA communications.
Who's at risk
Electric utilities and energy operators using Schneider Electric SAGE RTU devices for substation data collection and SCADA integration should assess their deployment. The C3414 CPU (current model) can be patched; C3413 and C3412 CPUs (obsolete models) have no fix available and pose ongoing risk if still in service.
How it could be exploited
An attacker discovers that the TCP listening ports on the SAGE RTU are open to the network and connects to them using ISaGRAF Workbench software. The attacker exploits a path traversal vulnerability (CWE-22) in the Workbench to execute arbitrary code on the RTU. If the RTU software runs with SYSTEM privileges, code execution results in admin-level access to the device.
Prerequisites
- Open/exposed TCP listening ports on the SAGE RTU device
- Network connectivity to the RTU from the attacker's location
- ISaGRAF Workbench software to connect to the RTU ports
- RTU software running with SYSTEM or elevated privileges (for admin access)
Path traversal vulnerability (CWE-22)Affects safety-critical utility infrastructureNo patch available for obsolete CPU modelsLow complexity exploitation if ports are exposedCan lead to privilege escalation to SYSTEM/admin level
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
1 with fix2 EOL
ProductAffected VersionsFix Status
Schneider Electric SAGE RTU C3414 CPU (Current)≥ 6.0|≤ 6.6.9C3414-500-S02K5_P5
Schneider Electric SAGE RTU C3413 CPU (Obsolete CPU) All firmware versions≥ 6.0|≤ 6.6.9No fix (EOL)
Schneider Electric SAGE RTU C3412 CPU (Obsolete CPU) All firmware versions≥ 6.0|≤ 6.6.9No fix (EOL)
Remediation & Mitigation
0/7
Do now
0/5HARDENINGPlace SAGE RTU control network behind a firewall and isolate it from the business network
WORKAROUNDClose or restrict TCP listening ports on the SAGE RTU to only authorized ISaGRAF Workbench connections
HARDENINGNever connect ISaGRAF Workbench programming software to any network other than the isolated control network
HARDENINGEnsure SAGE RTU devices are never accessible from the Internet; minimize network exposure
HARDENINGKeep RTU controllers in locked cabinets and never leave them in Program mode
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Schneider Electric SAGE RTU C3414 CPU to firmware version C3414-500-S02K5_P5 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Schneider Electric SAGE RTU C3413 CPU (Obsolete CPU) All firmware versions, Schneider Electric SAGE RTU C3412 CPU (Obsolete CPU) All firmware versions. Apply the following compensating controls:
HARDENINGIf remote access to ISaGRAF Workbench is required, use a secure VPN connection to the isolated network
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/622b4437-a868-49df-80e9-821772e8dc06