CVE-2020-25176: Rockwell Automation ISaGRAF5 Runtime Relative Path Traversal
First published: Fri Mar 18 2022(Updated: )
Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rockwell Automation AADvance Controller | ||
| Rockwell Automation ISaGRAF Free Runtime in ISaGRAF6 Workbench | ||
| Rockwell Automation Micro800 | ||
| Schneider Electric Easergy T300 Firmware | <=2.7.1 | |
| Schneider Electric Easergy T300 Firmware | ||
| Schneider-electric Easergy C5 | <1.1.0 | |
| Schneider-electric Easergy C5 | ||
| Schneider-electric Micom C264 Firmware | <d6.1 | |
| Schneider-electric Micom C264 Firmware | ||
| Schneider-electric Pacis Gtw Firmware | =5.1 | |
| Schneider-electric Pacis Gtw Firmware | =5.2 | |
| Schneider-electric Pacis Gtw Firmware | =6.1 | |
| Schneider-electric Pacis Gtw Firmware | =6.3 | |
| Schneider-electric Pacis Gtw Firmware | =6.3 | |
| Schneider-electric Pacis Gtw Firmware | ||
| Schneider-electric Saitel Dp | <=11.06.21 | |
| Schneider-electric Saitel Dp Firmware | ||
| Schneider-electric Epas Gtw Firmware | =6.4 | |
| Schneider-electric Epas Gtw Firmware | =6.4 | |
| Schneider-electric Epas Gtw Firmware | ||
| Saitel DR | <=11.06.12 | |
| Schneider-electric Saitel Dr Firmware | ||
| Schneider-electric SCD2200 Firmware | <=10024 | |
| Schneider Electric CP-3 | ||
| Schneider-electric Mc-31 | ||
| Rockwell Automation AADvance Controller | <=1.40 | |
| Isagraf | <=6.6.8 | |
| Rockwell Automation Isagraf Runtime | >=5.0<6.0 | |
| Rockwell Automation Micro810 Firmware | ||
| Rockwell Automation Micro810 | ||
| Rockwell Automation Micro820 Firmware | ||
| Rockwell Automation Micro820 | ||
| Rockwell Automation Micro830 Firmware | ||
| Rockwell Automation Micro830 Firmware | ||
| Rockwell Automation Micro850 Firmware | ||
| Rockwell Automation Micro850 | ||
| Rockwell Automation Micro870 Firmware | ||
| Rockwell Automation Micro870 | ||
| Xylem Multismart Firmware | <3.2.0 |
Remedy
Rockwell Automation recommends users update to ISaGRAF Runtime 5 Version 5.72.00. End users are encouraged to restrict or block access on TCP 1131 and TCP 1132 from outside the industrial control system. Confirm the least-privilege user principle is followed and user/service account access to Runtime's folder location is granted with a minimum amount of rights needed. Rockwell Automation recommends users of affected versions evaluate the mitigations provided and apply the appropriate mitigations to deployed products. Users are encouraged to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy. To reduce risk, Rockwell Automation recommends users: Employ proper network segmentation and security controls. Minimize network exposure for all control system devices. Locate control systems behind firewalls. Isolate control systems from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies. Consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances. Ensure the least-privilege user principle is followed, and user/service account access to Runtime’s folder location is granted with a minimum amount of rights, as needed. Please see publications from Rockwell Automation and Schneider Electric, Xylem, or contact GE for further information about how to mitigate these vulnerabilities in additional affected products.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01
- https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf
- https://www.cisa.gov/news-events/ics-advisories/icsa-20-280-01 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2020-25176?
CVE-2020-25176 has been rated as high severity due to its potential for remote exploitation.
How do I fix CVE-2020-25176?
To fix CVE-2020-25176, you should update the affected Rockwell Automation ISaGRAF Runtime versions to the latest patched versions.
What systems are affected by CVE-2020-25176?
CVE-2020-25176 affects Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x as well as specific Schneider Electric firmware versions.
Can CVE-2020-25176 be exploited remotely?
Yes, CVE-2020-25176 can be exploited remotely, allowing an attacker to perform unauthorized file operations.
What types of file operations are potentially vulnerable in CVE-2020-25176?
CVE-2020-25176 allows for various file operations, including reading and writing files due to insufficient validation of file name parameters.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/severity
- agent/references
- agent/event
- agent/trending
- agent/source
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- vendor/rockwell automation
- canonical/rockwell automation aadvance controller
- canonical/rockwell automation isagraf free runtime in isagraf6 workbench
- canonical/rockwell automation micro800
- vendor/schneider-electric
- canonical/schneider electric easergy t300 firmware
- version/schneider electric easergy t300 firmware/2.7.1
- canonical/schneider-electric easergy c5
- canonical/schneider-electric micom c264 firmware
- canonical/schneider-electric pacis gtw firmware
- version/schneider-electric pacis gtw firmware/5.1
- version/schneider-electric pacis gtw firmware/5.2
- version/schneider-electric pacis gtw firmware/6.1
- version/schneider-electric pacis gtw firmware/6.3
- canonical/schneider-electric saitel dp
- version/schneider-electric saitel dp/11.06.21
- canonical/schneider-electric saitel dp firmware
- canonical/schneider-electric epas gtw firmware
- version/schneider-electric epas gtw firmware/6.4
- canonical/saitel dr
- version/saitel dr/11.06.12
- canonical/schneider-electric saitel dr firmware
- canonical/schneider-electric scd2200 firmware
- version/schneider-electric scd2200 firmware/10024
- canonical/schneider electric cp-3
- canonical/schneider-electric mc-31
- vendor/rockwellautomation
- version/rockwell automation aadvance controller/1.40
- canonical/isagraf
- version/isagraf/6.6.8
- canonical/rockwell automation isagraf runtime
- version/rockwell automation isagraf runtime/5.0
- canonical/rockwell automation micro810 firmware
- canonical/rockwell automation micro810
- canonical/rockwell automation micro820 firmware
- canonical/rockwell automation micro820
- canonical/rockwell automation micro830 firmware
- canonical/rockwell automation micro850 firmware
- canonical/rockwell automation micro850
- canonical/rockwell automation micro870 firmware
- canonical/rockwell automation micro870
- vendor/xylem
- canonical/xylem multismart firmware