SEVD-2021-159-04
Vulnerability from csaf_se - Published: 2021-06-08 04:36 - Updated: 2025-11-15 00:00Summary
ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools
Notes
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
https://www.se.com/us/en/download/document/7EN52-0390/
* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
* Place all controllers in locked cabinets and never leave them in the “Program” mode.
* Never connect programming software to any network other than the network intended for that device.
* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For More Information
This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.
For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp
LEGAL DISCLAIMER
THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION
About Schneider Electric
At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.
We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.
www.se.com
Overview
On June 8, 2021, Rockwell Automation disclosed multiple vulnerabilities in its ISaGRAF Workbench and ISaGRAF Runtime products. Multiple vendors, including Schneider Electric, embed ISaGRAF in their offers.
ISaGRAF Workbench is used to program applications for embedded devices using IEC 61131-3 languages and may be incorporated into larger programming and configuration tools. The ISaGRAF Runtime module executes the process control code created in ISaGRAF Workbench on embedded devices.
If successfully exploited, bad actors could execute a range of actions, including accessing and disclosing sensitive information, privilege escalation, and in some cases remote code execution.
Customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from possible exploitation of these vulnerabilities. Where appropriate, this includes locating their industrial systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; and following the mitigations and general security recommendations below.
For additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric’s Customer Care Center.
Subscribe to the Schneider Electric security notification service to be informed of critical
updates to this notification, including information on affected products and remediation plans:
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
November 2022 Update: Talus T4e and T4c RTUs were added as affected products along with a mitigation.
March 2023 Update: A remediation is available for SCD2200 product.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "We strongly recommend the following industry cybersecurity best practices.\n\nhttps://www.se.com/us/en/download/document/7EN52-0390/\n* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.\n* Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n* Never connect programming software to any network other than the network intended for that device.\n* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.\n* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.\nFor more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. \n",
"title": "General Security Recommendations"
},
{
"category": "general",
"text": "This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.\nFor further information related to cybersecurity in Schneider Electric\u2019s products, visit the company\u2019s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp",
"title": "For More Information"
},
{
"category": "legal_disclaimer",
"text": "THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS \u201cNOTIFICATION\u201d) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN \u201cAS-IS\u201d BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION",
"title": "LEGAL DISCLAIMER"
},
{
"category": "general",
"text": "At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.\n\nWe provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.\n\nWe are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.\n\nwww.se.com ",
"title": "About Schneider Electric"
},
{
"category": "summary",
"text": "On June 8, 2021, Rockwell Automation disclosed multiple vulnerabilities in its ISaGRAF Workbench and ISaGRAF Runtime products. Multiple vendors, including Schneider Electric, embed ISaGRAF in their offers.\nISaGRAF Workbench is used to program applications for embedded devices using IEC 61131-3 languages and may be incorporated into larger programming and configuration tools. The ISaGRAF Runtime module executes the process control code created in ISaGRAF Workbench on embedded devices.\nIf successfully exploited, bad actors could execute a range of actions, including accessing and disclosing sensitive information, privilege escalation, and in some cases remote code execution.\nCustomers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from possible exploitation of these vulnerabilities. Where appropriate, this includes locating their industrial systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; and following the mitigations and general security recommendations below.\nFor additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric\u2019s Customer Care Center.\nSubscribe to the Schneider Electric security notification service to be informed of critical\nupdates to this notification, including information on affected products and remediation plans:\nhttps://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp\nNovember 2022 Update: Talus T4e and T4c RTUs were added as affected products along with a mitigation.\nMarch 2023 Update: A remediation is available for SCD2200 product.",
"title": "Overview"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cpcert@se.com",
"name": "Schneider Electric CPCERT",
"namespace": "https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp"
},
"references": [
{
"category": "self",
"summary": "ISaGRAF Vulnerabilities - SEVD-2021-159-04 PDF Version",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-159-04_ISaGRAF_Security_Notification.pdf"
},
{
"category": "self",
"summary": "ISaGRAF Vulnerabilities - SEVD-2021-159-04 CSAF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sevd-2021-159-04.json"
},
{
"category": "external",
"summary": "Recommended Cybersecurity Best Practices",
"url": "https://www.se.com/us/en/download/document/7EN52-0390/"
}
],
"title": "ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools",
"tracking": {
"current_release_date": "2025-11-15T00:00:00.000Z",
"generator": {
"date": "2025-11-14T06:13:58.534Z",
"engine": {
"name": "Schneider Electric CSAF Generator",
"version": "1.2"
}
},
"id": "SEVD-2021-159-04",
"initial_release_date": "2021-06-08T04:36:25.000Z",
"revision_history": [
{
"date": "2021-06-08T04:36:25.000Z",
"number": "1.0.0",
"summary": "Original Release"
},
{
"date": "2021-09-14T04:36:25.000Z",
"number": "2.0.0",
"summary": "Added remediations for SAGE RTU C3414 CPU, C3413 CPU and C3412 CPU"
},
{
"date": "2021-11-09T04:36:25.000Z",
"number": "3.0.0",
"summary": "Added remediations for SCADAPack 300E RTU, SCADAPack 53xE RTU, and SCADAPack Workbench"
},
{
"date": "2022-11-08T04:36:25.000Z",
"number": "4.0.0",
"summary": "Talus T4e and T4c RTUs were added as affected products along with a mitigation"
},
{
"date": "2023-03-14T06:30:00.000Z",
"number": "5.0.0",
"summary": "A remediation is available for SCD2200 product (page 3)."
},
{
"date": "2024-01-09T00:00:00.000Z",
"number": "6.0.0",
"summary": "New mitigations for the PowerLogic T300, MiCOM C264 D7.21 (or later) OR Easergy C5 1.1.6 (or later), PACiS GTW, and EPAS GTW are available for download."
},
{
"date": "2024-03-12T00:00:00.000Z",
"number": "7.0.0",
"summary": "New mitigations for Saitel DP and Saitel DR are available for download (page 5)."
},
{
"date": "2025-11-15T00:00:00.000Z",
"number": "8.0.0",
"summary": "Corrected Versions for Easergy C5 \u0026 MiCOM C264 and Added CVSS Details for Related CVEs."
}
],
"status": "final",
"version": "8.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.8.2",
"product": {
"name": "Schneider Electric Easergy T300 \u003c2.8.2",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "Easergy T300"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.0.x",
"product": {
"name": "Schneider Electric Easergy C5 Versions up to 1.0.x",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "Easergy C5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=D6.x",
"product": {
"name": "Schneider Electric MiCOM C264 Versions up to D6.x",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "MiCOM C264"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2",
"product": {
"name": "Schneider Electric PACiS GTW \u003c5.2",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "PACiS GTW"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=11.06.21",
"product": {
"name": "Schneider Electric Saitel DP \u003c=11.06.21",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "Saitel DP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=11.06.12",
"product": {
"name": "Schneider Electric Saitel DR \u003c=11.06.12",
"product_id": "6"
}
}
],
"category": "product_name",
"name": "Saitel DR"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cA18",
"product": {
"name": "Schneider Electric Talus T4e RTU \u003cA18",
"product_id": "7"
}
}
],
"category": "product_name",
"name": "Talus T4e RTU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cA19.08",
"product": {
"name": "Schneider Electric Talus T4c RTU \u003cA19.08",
"product_id": "8"
}
}
],
"category": "product_name",
"name": "Talus T4c RTU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c8.18.1",
"product": {
"name": "Schneider Electric SCADAPack E \u003c8.18.1",
"product_id": "9"
}
}
],
"category": "product_name",
"name": "SCADAPack E"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.6.8",
"product": {
"name": "Schneider Electric SCADAPack Workbench \u003c6.6.8",
"product_id": "10"
}
}
],
"category": "product_name",
"name": "SCADAPack Workbench"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cC3414-500-S02K5_P5",
"product": {
"name": "Schneider Electric SAGE RTU - C3414 CPU \u003cC3414-500-S02K5_P5",
"product_id": "11",
"product_identification_helper": {
"model_numbers": [
"C3414"
]
}
}
}
],
"category": "product_name",
"name": "SAGE RTU - C3414 CPU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Schneider Electric SAGE RTU - C3413 CPU C3412 CPU All Firmware Versions",
"product_id": "12",
"product_identification_helper": {
"model_numbers": [
"C3413",
"C3412"
]
}
}
}
],
"category": "product_name",
"name": "SAGE RTU - C3413 CPU C3412 CPU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10024",
"product": {
"name": "Schneider Electric SCD2200 \u003c=10024",
"product_id": "13"
}
}
],
"category": "product_name",
"name": "SCD2200"
},
{
"branches": [
{
"category": "product_version",
"name": "8.19.1",
"product": {
"name": "Schneider Electric SCADAPack E 8.19.1",
"product_id": "14",
"product_identification_helper": {
"model_numbers": [
"300E",
"53xE"
]
}
}
}
],
"category": "product_name",
"name": "SCADAPack E"
},
{
"branches": [
{
"category": "product_version",
"name": "8.19.1",
"product": {
"name": "Schneider Electric SCADAPack Workbench 8.19.1",
"product_id": "15"
}
}
],
"category": "product_name",
"name": "SCADAPack Workbench"
},
{
"branches": [
{
"category": "product_version",
"name": "C3414-500-S02K5_P5",
"product": {
"name": "Schneider Electric SAGE RTU - C3413 CPU C3412 CPU C3414-500-S02K5_P5",
"product_id": "16",
"product_identification_helper": {
"model_numbers": [
"C3413",
"C3412"
]
}
}
}
],
"category": "product_name",
"name": "SAGE RTU - C3413 CPU C3412 CPU"
},
{
"branches": [
{
"category": "product_version",
"name": "C3414-500-S02K5_P5",
"product": {
"name": "Schneider Electric SAGE RTU - C3414 CPU C3414-500-S02K5_P5",
"product_id": "17",
"product_identification_helper": {
"model_numbers": [
"C3414"
]
}
}
}
],
"category": "product_name",
"name": "SAGE RTU - C3414 CPU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "V9.1.0 or later (14942)",
"product": {
"name": "Schneider Electric SCD2200 \u003c10024",
"product_id": "18"
}
}
],
"category": "product_name",
"name": "SCD2200"
}
],
"category": "vendor",
"name": "Schneider Electric"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=5.2",
"product": {
"name": "Rockwell Automation ISaGRAF Runtime Versions 5.2 and prior",
"product_id": "19"
}
}
],
"category": "product_name",
"name": "ISaGRAF Runtime"
}
],
"category": "vendor",
"name": "Rockwell Automation"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "Rockwell Automation ISaGRAF Runtime Versions 5.2 and prior default component of Schneider Electric Easergy C5 Versions up to 1.0.x",
"product_id": "20"
},
"product_reference": "19",
"relates_to_product_reference": "2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "Rockwell Automation ISaGRAF Runtime Versions 5.2 and prior default component of Schneider Electric MiCOM C264 Versions up to D6.x",
"product_id": "21"
},
"product_reference": "19",
"relates_to_product_reference": "3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-25176",
"notes": [
{
"category": "description",
"text": "Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application\u2019s directory, which could lead to remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"14",
"15",
"16",
"17",
"18"
],
"known_affected": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
},
"remediations": [
{
"category": "mitigation",
"details": "New mitigations for the PowerLogic T300 are available for download. These mitigations reduce, but do not eliminate the risk of this vulnerability. Firmware v2.9.0 (or later) for the T300 is available for download here: https://www.se.com/ww/en/download/document/T300_Firmware/ If you cannot update to v2.9.0 (or later) please note the following. Customers should use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.If ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"1"
],
"restart_required": {
"category": "none"
},
"url": "https://www.se.com/ww/en/download/document/T300_Firmware/"
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode. NOTE: New mitigations are available for this product. These mitigations reduce, but do not eliminate the risk of this vulnerability. Please contact your authorized service provider / customer care and request MiCOM C264 D7.21 (or later) OR Easergy C5 1.1.6 (or later).",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode. NOTE: New mitigations are available for this product. These mitigations reduce, but do not eliminate the risk of this vulnerability. Please contact your authorized service provider / customer care and request MiCOM C264 D7.21 (or later) OR Easergy C5 1.1.6 (or later).",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should use the OS firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.For detailed instructions, please contact your Schneider Electric representative and request \u201cGTW ISaGRAF vulnerabilities mitigation plan.\u201dNOTE: New mitigations are available for this product. These mitigations reduce, but do not eliminate the risk of this vulnerability. Please contact your authorized service provider / customer care and request EPAS Gateway v6.4.615.100.102 or later.",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "New mitigations for Saitel DP are available for download. These mitigations reduce, but do not eliminate the risk of this vulnerability. Firmware SM_CPU866e v11.06.32 (or later) for Saitel DP is available for download here: https://www.se.com/il/en/product-range/61747-saiteldp/#software-and-firmware If you cannot update to Firmware SM_CPU866e v11.06.32 (or later) please note the following. Customers should use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug. If ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"5"
],
"restart_required": {
"category": "none"
},
"url": "https://www.se.com/il/en/product-range/61747-saiteldp/#software-and-firmware"
},
{
"category": "mitigation",
"details": "New mitigations for Saitel DR are available for download. These mitigations reduce, but do not eliminate the risk of this vulnerability. Firmware HUe v11.06.27 (or later) for Saitel DR is available for download here: https://www.se.com/il/en/product-range/62685-saitel-dr-remoteterminal-unit-controller#software-and-firmware If you cannot update to Firmware HUe v11.06.27 (or later) please note the following. Customers should use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug. If ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"6"
],
"restart_required": {
"category": "none"
},
"url": "https://www.se.com/il/en/product-range/62685-saitel-dr-remoteterminal-unit-controller#software-and-firmware"
},
{
"category": "vendor_fix",
"details": "Customers should upgrade to the firmware V9.1.0 or later (14942), which incorporates ISaGRAF Workbench V6.6.9. Notification of firmware release can be found here: https://secommunities.force.com/PAkb/s/article/CCN000244525 A reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.",
"product_ids": [
"13"
],
"restart_required": {
"category": "system"
},
"url": "https://secommunities.force.com/PAkb/s/article/CCN000244525"
},
{
"category": "mitigation",
"details": "Implement firewall rules to restrict or block access on TCP port 1131 from outside the industrial control system.\r\nDisable the ISaGRAF/TCP service when not required. Typically, this service is needed only during commissioning or maintenance operations.\r\nLimit and control administrative access rights for ISaGRAF services.\r\nUpgrade to ISaGRAF 6.6.9 (A19.09 Firmware or later).",
"product_ids": [
"7",
"8"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "V8.19.1 of SCADAPack Workbench includes a fix for these vulnerabilities and is available for download here:\r\nhttps://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities.\r\nA reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.\r\nTo verify the remediation is in place, use SCADAPack E Configurator or the RTU command line to display the firmware version.",
"product_ids": [
"9",
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities."
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
},
{
"category": "vendor_fix",
"details": "SAGE RTU CPU\u2019s C3413 and C3412 have reached their end of life and are no longer supported. Customers should immediately upgrade to the latest CPU C3414 and apply C3414-500-S02K5_P5 or later firmware which can be downloaded here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.",
"product_ids": [
"12"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
}
],
"title": "CVE-2020-25176"
},
{
"cve": "CVE-2020-25178",
"notes": [
{
"category": "description",
"text": "ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. This communication protocol provides various file system operations, as well as the uploading of applications. Data is transferred over this protocol unencrypted, which could allow a remote unauthenticated attacker to upload, read, and delete files.\r\n\r\n",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"14",
"15",
"16",
"17",
"18"
],
"known_affected": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
},
"remediations": [
{
"category": "mitigation",
"details": "New mitigations for the PowerLogic T300 are available for download. These mitigations reduce, but do not eliminate the risk of this vulnerability. Firmware v2.9.0 (or later) for the T300 is available for download here: https://www.se.com/ww/en/download/document/T300_Firmware/ If you cannot update to v2.9.0 (or later) please note the following. Customers should use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.If ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"1"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode. NOTE: New mitigations are available for this product. These mitigations reduce, but do not eliminate the risk of this vulnerability. Please contact your authorized service provider / customer care and request MiCOM C264 D7.21 (or later) OR Easergy C5 1.1.6 (or later).",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode. NOTE: New mitigations are available for this product. These mitigations reduce, but do not eliminate the risk of this vulnerability. Please contact your authorized service provider / customer care and request MiCOM C264 D7.21 (or later) OR Easergy C5 1.1.6 (or later).",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should use the OS firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.For detailed instructions, please contact your Schneider Electric representative and request \u201cGTW ISaGRAF vulnerabilities mitigation plan.\u201dNOTE: New mitigations are available for this product. These mitigations reduce, but do not eliminate the risk of this vulnerability. Please contact your authorized service provider / customer care and request EPAS Gateway v6.4.615.100.102 or later.",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DP firmware 11.06.00 or higher and use the product firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"5"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DR firmware 11.06.03 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"6"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "Customers should upgrade to the firmware V9.1.0 or later (14942), which incorporates ISaGRAF Workbench V6.6.9. Notification of firmware release can be found here: https://secommunities.force.com/PAkb/s/article/CCN000244525 A reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.",
"product_ids": [
"13"
],
"restart_required": {
"category": "system"
},
"url": "https://secommunities.force.com/PAkb/s/article/CCN000244525"
},
{
"category": "mitigation",
"details": "Implement firewall rules to restrict or block access on TCP port 1131 from outside the industrial control system.\r\nDisable the ISaGRAF/TCP service when not required. Typically, this service is needed only during commissioning or maintenance operations.\r\nLimit and control administrative access rights for ISaGRAF services.\r\nUpgrade to ISaGRAF 6.6.9 (A19.09 Firmware or later).",
"product_ids": [
"7",
"8"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "V8.19.1 of SCADAPack Workbench includes a fix for these vulnerabilities and is available for download here:\r\nhttps://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities.\r\nA reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.\r\nTo verify the remediation is in place, use SCADAPack E Configurator or the RTU command line to display the firmware version.",
"product_ids": [
"9",
"10"
],
"restart_required": {
"category": "system"
},
"url": "https://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities."
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "SAGE RTU CPU\u2019s C3413 and C3412 have reached their end of life and are no longer supported. Customers should immediately upgrade to the latest CPU C3414 and apply C3414-500-S02K5_P5 or later firmware which can be downloaded here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.",
"product_ids": [
"12"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
}
],
"title": "CVE-2020-25178"
},
{
"cve": "CVE-2020-25182",
"notes": [
{
"category": "description",
"text": "Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects ISaGRAF Runtime when running on Microsoft Windows systems.\r\n\r\n",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"14",
"15",
"16",
"17",
"18"
],
"known_affected": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to T300 firmware V1.4 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"1"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode.",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "For detailed instructions, please contact your Schneider Electric representative and request \u201cC5 / C264 ISaGRAF vulnerabilities mitigation plan.\u201d",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should use the OS firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nFor detailed instructions, please contact your Schneider Electric representative and request \u201cGTW ISaGRAF vulnerabilities mitigation plan.\u201d",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DP firmware 11.06.00 or higher and use the product firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"5"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DR firmware 11.06.03 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"6"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "Customers should upgrade to the firmware V9.1.0 or later (14942), which incorporates ISaGRAF Workbench V6.6.9. Notification of firmware release can be found here: https://secommunities.force.com/PAkb/s/article/CCN000244525 A reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.",
"product_ids": [
"13"
],
"restart_required": {
"category": "system"
},
"url": "https://secommunities.force.com/PAkb/s/article/CCN000244525"
},
{
"category": "mitigation",
"details": "Implement firewall rules to restrict or block access on TCP port 1131 from outside the industrial control system.\r\nDisable the ISaGRAF/TCP service when not required. Typically, this service is needed only during commissioning or maintenance operations.\r\nLimit and control administrative access rights for ISaGRAF services.\r\nUpgrade to ISaGRAF 6.6.9 (A19.09 Firmware or later).",
"product_ids": [
"7",
"8"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "V8.19.1 of SCADAPack Workbench includes a fix for these vulnerabilities and is available for download here:\r\nhttps://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities.\r\nA reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.\r\nTo verify the remediation is in place, use SCADAPack E Configurator or the RTU command line to display the firmware version.",
"product_ids": [
"9",
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities."
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "SAGE RTU CPU\u2019s C3413 and C3412 have reached their end of life and are no longer supported. Customers should immediately upgrade to the latest CPU C3414 and apply C3414-500-S02K5_P5 or later firmware which can be downloaded here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.",
"product_ids": [
"12"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
}
],
"title": "CVE-2020-25182"
},
{
"cve": "CVE-2020-25184",
"notes": [
{
"category": "description",
"text": "Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects ISaGRAF Runtime when running on Microsoft Windows systems.\r\n\r\n",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"14",
"15",
"16",
"17",
"18"
],
"known_affected": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to T300 firmware V1.4 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"1"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode.",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "For detailed instructions, please contact your Schneider Electric representative and request \u201cC5 / C264 ISaGRAF vulnerabilities mitigation plan.\u201d",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should use the OS firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nFor detailed instructions, please contact your Schneider Electric representative and request \u201cGTW ISaGRAF vulnerabilities mitigation plan.\u201d",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DP firmware 11.06.00 or higher and use the product firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"5"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DR firmware 11.06.03 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"6"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "Customers should upgrade to the firmware V9.1.0 or later (14942), which incorporates ISaGRAF Workbench V6.6.9. Notification of firmware release can be found here: https://secommunities.force.com/PAkb/s/article/CCN000244525 A reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.",
"product_ids": [
"13"
],
"restart_required": {
"category": "system"
},
"url": "https://secommunities.force.com/PAkb/s/article/CCN000244525"
},
{
"category": "mitigation",
"details": "Implement firewall rules to restrict or block access on TCP port 1131 from outside the industrial control system.\r\nDisable the ISaGRAF/TCP service when not required. Typically, this service is needed only during commissioning or maintenance operations.\r\nLimit and control administrative access rights for ISaGRAF services.\r\nUpgrade to ISaGRAF 6.6.9 (A19.09 Firmware or later).",
"product_ids": [
"7",
"8"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "V8.19.1 of SCADAPack Workbench includes a fix for these vulnerabilities and is available for download here:\r\nhttps://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities.\r\nA reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.\r\nTo verify the remediation is in place, use SCADAPack E Configurator or the RTU command line to display the firmware version.",
"product_ids": [
"9",
"10"
],
"restart_required": {
"category": "system"
},
"url": "https://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities."
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "system"
}
},
{
"category": "vendor_fix",
"details": "SAGE RTU CPU\u2019s C3413 and C3412 have reached their end of life and are no longer supported. Customers should immediately upgrade to the latest CPU C3414 and apply C3414-500-S02K5_P5 or later firmware which can be downloaded here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.",
"product_ids": [
"12"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
}
],
"title": "CVE-2020-25184"
},
{
"cve": "CVE-2020-25180",
"notes": [
{
"category": "description",
"text": "Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.\r\n\r\n",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"14",
"15",
"16",
"17",
"18"
],
"known_affected": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to T300 firmware V1.4 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"1"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "ISaGRAF program upload/debug mode is disabled by default, after enabling for product commissioning, disable ISaGRAF program upload/debug mode.",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "For detailed instructions, please contact your Schneider Electric representative and request \u201cC5 / C264 ISaGRAF vulnerabilities mitigation plan.\u201d",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should use the OS firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nFor detailed instructions, please contact your Schneider Electric representative and request \u201cGTW ISaGRAF vulnerabilities mitigation plan.\u201d",
"product_ids": [
"4"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DP firmware 11.06.00 or higher and use the product firewall to block TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"5"
],
"restart_required": {
"category": "none"
}
},
{
"category": "mitigation",
"details": "If ISaGRAF is configured, customers should upgrade to Saitel DR firmware 11.06.03 or higher and use the product firewall to block the TCP port 1131 and only unblock it during new program upgrade/debug.\r\nIf ISaGRAF is not configured, the service is not active and the port is closed, then no further action is required.",
"product_ids": [
"6"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "Customers should upgrade to the firmware V9.1.0 or later (14942), which incorporates ISaGRAF Workbench V6.6.9. Notification of firmware release can be found here: https://secommunities.force.com/PAkb/s/article/CCN000244525 A reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.",
"product_ids": [
"13"
],
"restart_required": {
"category": "system"
},
"url": "https://secommunities.force.com/PAkb/s/article/CCN000244525"
},
{
"category": "mitigation",
"details": "Implement firewall rules to restrict or block access on TCP port 1131 from outside the industrial control system.\r\nDisable the ISaGRAF/TCP service when not required. Typically, this service is needed only during commissioning or maintenance operations.\r\nLimit and control administrative access rights for ISaGRAF services.\r\nUpgrade to ISaGRAF 6.6.9 (A19.09 Firmware or later).",
"product_ids": [
"7",
"8"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "V8.19.1 of SCADAPack Workbench includes a fix for these vulnerabilities and is available for download here:\r\nhttps://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities.\r\nA reboot is required when upgrading to new firmware. No user actions are required to apply the remediation beyond upgrading the firmware in the RTU.\r\nTo verify the remediation is in place, use SCADAPack E Configurator or the RTU command line to display the firmware version.",
"product_ids": [
"9",
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://shop.exchange.se.com/en-US/apps/62865/scadapack-e-workbench-and-utilities."
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "none"
}
},
{
"category": "vendor_fix",
"details": "SAGE RTU CPU\u2019s C3413 and C3412 have reached their end of life and are no longer supported. Customers should immediately upgrade to the latest CPU C3414 and apply C3414-500-S02K5_P5 or later firmware which can be downloaded here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.",
"product_ids": [
"12"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
},
{
"category": "vendor_fix",
"details": "Version C3414-500-S02K5_P5 of SAGE RTU CPU 3414 includes a fix for this vulnerability and is available for download here:\r\nhttps://www.sage-rtu.com/downloads.html\r\nReboot of SAGE RTU is required after firmware upgrade.\r\nThis fix disables ISaGRAF by default and provides an additional network service checkbox to allow you to enable the ISaGRAF ETCP task, which will open listening ports to connect with ISaGRAF workbench when needed.\r\nOR\r\nIf the firmware is not upgraded to C3414-500-S02K5_P5, but you are at firmware version C3414-500-S02K2 or above customers should immediately apply the following mitigations to reduce the risk of exploit:\r\nIf ISaGRAF is configured and in use, the built-in firewall can be used to disable ISaGRAF port 1131 and 1113 when the debugger is not in use. Use the following commands in the Firewall configuration to disable external access to ISaGRAF.\r\nblock in proto tcp from any to any port = 1131\r\nblock in proto tcp from any to any port = 1113\r\nIf ISaGRAF is NOT configured and in use, the ISaGRAF port is by default not enabled and does not start automatically, therefore there is no issue or required actions.",
"product_ids": [
"11"
],
"restart_required": {
"category": "system"
},
"url": "https://www.sage-rtu.com/downloads.html"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"20",
"21"
]
}
],
"title": "CVE-2020-25180"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…