Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Several vulnerabilities discovered by Kaspersky researchers in Rockwell Automation software impact industrial products from Schneider Electric, GE and other vendors.

Several vulnerabilities discovered by Kaspersky researchers in Rockwell Automation software impact industrial products from Schneider Electric, GE and other vendors.

The security holes were identified by Kaspersky researchers in Rockwell Automation’s ISaGRAF, which is designed for the development of automation products.

The most serious of them appears to be CVE-2020-25176, a critical issue that can be exploited by “a remote attacker authenticated on the IXL [ISaGRAF eXchange Layer] protocol to traverse an application’s directory, which could lead to remote code execution.”

Another potentially serious issue is CVE-2020-25178, a high-severity flaw related to the cleartext transmission of information. A remote, unauthenticated attacker can exploit it to upload, read or delete files.

CVE-2020-25184, which has also been rated high severity, can be exploited by a local, unauthenticated attacker to obtain user passwords, which are stored in plain text in a file.

Two other vulnerabilities identified by Kaspersky have been rated medium severity. One allows a local, unauthenticated attacker to execute arbitrary code, while the other can lead to information disclosure and it can be exploited remotely without authentication.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

Advertisement. Scroll to continue reading.

Evgeny Goncharov, head of the ICS Cyber Emergency Response Team at Kaspersky, told SecurityWeek that the impact of these vulnerabilities — if they were to be exploited in attacks — depends on what the targeted device is used for.

“As some of the affected products are known to be used to control industrial enterprise mission-critical assets and therefore essential parts of the enterprise technological process depend on them, the potential attack consequences could be pretty devastating.” Goncharov warned.

In an advisory published this week, Rockwell Automation said the vulnerabilities impact its AADvance control system, ISaGRAF Runtime and ISaGRAF6 Workbench tools, and Micro800 controllers.

In its own advisory released this week, Schneider Electric said several of its industrial automation products use ISaGRAF Runtime and ISaGRAF6 Workbench, including Easergy, MiCOM, PACiS, EPAS, Saitel, SCADAPack, SCD2200 and SAGE products — many of these are remote terminal units (RTUs).

“ISaGRAF Workbench is used to program applications for embedded devices using IEC 61131-3 languages, and may be incorporated into larger programming and configuration tools. The ISaGRAF Runtime module executes the process control code created in ISaGRAF Workbench on embedded devices,” Schneider Electric explained in its advisory.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which helped coordinate disclosure to impacted vendors, also released an advisory this week. CISA’s advisory reveals that GE Steam Power’s ALSPA S6 MFC3000 and MFC1000 control systems are also affected by the ISaGRAF flaws. GE does not appear to have a public advisory, but customers have been advised by CISA to contact the company for information on how the vulnerabilities can be mitigated.

While Schneider, Rockwell and GE have taken steps to address these vulnerabilities, Kaspersky told SecurityWeek that it cannot name the other vendors as they have yet to release patches for their products.

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.