Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Several vulnerabilities discovered by Kaspersky researchers in Rockwell Automation software impact industrial products from Schneider Electric, GE and other vendors.

The security holes were identified by Kaspersky researchers in Rockwell Automation’s ISaGRAF, which is designed for the development of automation products.

The most serious of them appears to be CVE-2020-25176, a critical issue that can be exploited by “a remote attacker authenticated on the IXL [ISaGRAF eXchange Layer] protocol to traverse an application’s directory, which could lead to remote code execution.”

Another potentially serious issue is CVE-2020-25178, a high-severity flaw related to the cleartext transmission of information. A remote, unauthenticated attacker can exploit it to upload, read or delete files.

CVE-2020-25184, which has also been rated high severity, can be exploited by a local, unauthenticated attacker to obtain user passwords, which are stored in plain text in a file.

Two other vulnerabilities identified by Kaspersky have been rated medium severity. One allows a local, unauthenticated attacker to execute arbitrary code, while the other can lead to information disclosure and it can be exploited remotely without authentication.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

Evgeny Goncharov, head of the ICS Cyber Emergency Response Team at Kaspersky, told SecurityWeek that the impact of these vulnerabilities — if they were to be exploited in attacks — depends on what the targeted device is used for.

“As some of the affected products are known to be used to control industrial enterprise mission-critical assets and therefore essential parts of the enterprise technological process depend on them, the potential attack consequences could be pretty devastating.” Goncharov warned.

In an advisory published this week, Rockwell Automation said the vulnerabilities impact its AADvance control system, ISaGRAF Runtime and ISaGRAF6 Workbench tools, and Micro800 controllers.

In its own advisory released this week, Schneider Electric said several of its industrial automation products use ISaGRAF Runtime and ISaGRAF6 Workbench, including Easergy, MiCOM, PACiS, EPAS, Saitel, SCADAPack, SCD2200 and SAGE products — many of these are remote terminal units (RTUs).

“ISaGRAF Workbench is used to program applications for embedded devices using IEC 61131-3 languages, and may be incorporated into larger programming and configuration tools. The ISaGRAF Runtime module executes the process control code created in ISaGRAF Workbench on embedded devices,” Schneider Electric explained in its advisory.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which helped coordinate disclosure to impacted vendors, also released an advisory this week. CISA’s advisory reveals that GE Steam Power’s ALSPA S6 MFC3000 and MFC1000 control systems are also affected by the ISaGRAF flaws. GE does not appear to have a public advisory, but customers have been advised by CISA to contact the company for information on how the vulnerabilities can be mitigated.

While Schneider, Rockwell and GE have taken steps to address these vulnerabilities, Kaspersky told SecurityWeek that it cannot name the other vendors as they have yet to release patches for their products.

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Related: Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products