CVE-2020-25184

Q: What is the severity of CVE-2020-25184?

CVE-2020-25184 has a CVSS score of 7.8 (HIGH). Rockwell Automation ISaGRAF Runtime versions 4.x and 5.x store passwords in plaintext files in the same directory as the executable. This allows local unauthenticated attackers to read sensitive credentials, leading to information disclosure. Industrial control systems using these versions are affected.

7.8 HIGH

📋 TL;DR

Rockwell Automation ISaGRAF Runtime versions 4.x and 5.x store passwords in plaintext files in the same directory as the executable. This allows local unauthenticated attackers to read sensitive credentials, leading to information disclosure. Industrial control systems using these versions are affected.

💻 Affected Systems

Products:

Rockwell Automation ISaGRAF Runtime

Versions: 4.x and 5.x

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where ISaGRAF Runtime is installed with default configurations. Also impacts third-party products using ISaGRAF Runtime.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to industrial control systems, potentially disrupting operations, manipulating processes, or causing physical damage.

🟠

Likely Case

Unauthorized users access sensitive credentials, leading to privilege escalation, lateral movement within OT networks, and potential data theft.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to local information disclosure without system compromise.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: HIGH with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires local access to read plaintext password files. No special tools or skills needed beyond file access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.0 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699

Restart Required: Yes

Instructions:

1. Download ISaGRAF Runtime version 6.0 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the updated version. 4. Restart the system. 5. Verify password files are encrypted.

🔧 Temporary Workarounds

Restrict File Access Permissions

all

Set strict file permissions on password files to prevent unauthorized reading

chmod 600 password_file (Linux)
icacls password_file /deny Everyone:(R) (Windows)

Move Password Files

all

Relocate password files to protected directories with restricted access

mv password_file /secure/location/ (Linux)
move password_file C:\secure\location\ (Windows)

🧯 If You Can't Patch

Implement strict access controls to limit who can access the system locally
Segment the network to isolate ISaGRAF systems from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if password files exist in the same directory as ISaGRAF executable and contain plaintext credentials

Check Version:

isagraf -v or check program properties for version information

Verify Fix Applied:

Verify password files are encrypted or moved to secure locations after patching

📡 Detection & Monitoring

Log Indicators:

Unauthorized file access attempts to password files
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual authentication traffic from unexpected sources
Lateral movement attempts within OT network

SIEM Query:

source="isagraf" AND (event_type="file_access" AND file_path="*password*")

📊 Metadata

CVE ID: CVE-2020-25184

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-256

Published: March 18, 2022

Last Updated: November 21, 2024

🔗 References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 Vendor Advisory
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 Permissions Required
https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 Third Party Advisory,US Government Resource
https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf Vendor Advisory
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 Vendor Advisory
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 Permissions Required
https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 Third Party Advisory,US Government Resource
https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Aadvance Controller by Rockwellautomation

Easergy C5 Firmware by Schneider Electric

Easergy T300 Firmware by Schneider Electric

Epas Gtw Firmware by Schneider Electric

Epas Gtw Firmware by Schneider Electric

Isagraf Free Runtime by Rockwellautomation

Isagraf Runtime by Rockwellautomation

Micom C264 Firmware by Schneider Electric

Micro810 Firmware by Rockwellautomation

Micro820 Firmware by Rockwellautomation

Micro830 Firmware by Rockwellautomation

Micro850 Firmware by Rockwellautomation

Micro870 Firmware by Rockwellautomation

Multismart Firmware by Xylem

Pacis Gtw Firmware by Schneider Electric

Pacis Gtw Firmware by Schneider Electric

Pacis Gtw Firmware by Schneider Electric

Pacis Gtw Firmware by Schneider Electric

Pacis Gtw Firmware by Schneider Electric

Saitel Dp Firmware by Schneider Electric

Saitel Dr Firmware by Schneider Electric

Scd2200 Firmware by Schneider Electric

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict File Access Permissions

Move Password Files

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities