Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Several vulnerabilities discovered by Kaspersky researchers in Rockwell Automation software impact industrial products from Schneider Electric, GE and other vendors.

Several vulnerabilities discovered by Kaspersky researchers in Rockwell Automation software impact industrial products from Schneider Electric, GE and other vendors.

The security holes were identified by Kaspersky researchers in Rockwell Automation’s ISaGRAF, which is designed for the development of automation products.

The most serious of them appears to be CVE-2020-25176, a critical issue that can be exploited by “a remote attacker authenticated on the IXL [ISaGRAF eXchange Layer] protocol to traverse an application’s directory, which could lead to remote code execution.”

Another potentially serious issue is CVE-2020-25178, a high-severity flaw related to the cleartext transmission of information. A remote, unauthenticated attacker can exploit it to upload, read or delete files.

CVE-2020-25184, which has also been rated high severity, can be exploited by a local, unauthenticated attacker to obtain user passwords, which are stored in plain text in a file.

Two other vulnerabilities identified by Kaspersky have been rated medium severity. One allows a local, unauthenticated attacker to execute arbitrary code, while the other can lead to information disclosure and it can be exploited remotely without authentication.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

Evgeny Goncharov, head of the ICS Cyber Emergency Response Team at Kaspersky, told SecurityWeek that the impact of these vulnerabilities — if they were to be exploited in attacks — depends on what the targeted device is used for.

Advertisement. Scroll to continue reading.

“As some of the affected products are known to be used to control industrial enterprise mission-critical assets and therefore essential parts of the enterprise technological process depend on them, the potential attack consequences could be pretty devastating.” Goncharov warned.

In an advisory published this week, Rockwell Automation said the vulnerabilities impact its AADvance control system, ISaGRAF Runtime and ISaGRAF6 Workbench tools, and Micro800 controllers.

In its own advisory released this week, Schneider Electric said several of its industrial automation products use ISaGRAF Runtime and ISaGRAF6 Workbench, including Easergy, MiCOM, PACiS, EPAS, Saitel, SCADAPack, SCD2200 and SAGE products — many of these are remote terminal units (RTUs).

“ISaGRAF Workbench is used to program applications for embedded devices using IEC 61131-3 languages, and may be incorporated into larger programming and configuration tools. The ISaGRAF Runtime module executes the process control code created in ISaGRAF Workbench on embedded devices,” Schneider Electric explained in its advisory.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which helped coordinate disclosure to impacted vendors, also released an advisory this week. CISA’s advisory reveals that GE Steam Power’s ALSPA S6 MFC3000 and MFC1000 control systems are also affected by the ISaGRAF flaws. GE does not appear to have a public advisory, but customers have been advised by CISA to contact the company for information on how the vulnerabilities can be mitigated.

While Schneider, Rockwell and GE have taken steps to address these vulnerabilities, Kaspersky told SecurityWeek that it cannot name the other vendors as they have yet to release patches for their products.

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Checkmarx has appointed Scott Gainey as Chief Marketing Officer.

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.