Full Report
This report includes an analysis of the ISaGRAF framework, its architecture, the IXL and SNCP protocols and the description of several vulnerabilities the Kaspersky ICS CERT team had identified.
Analysis Summary
The following summary is based on the technical analysis of the ISaGRAF framework and its proprietary protocols (IXL and SNCP) conducted by Kaspersky ICS CERT.
# Vulnerability: Multiple Flaws in ISaGRAF Runtime and Protocols (ISaPWN)
## CVE Details
*Note: Due to the nature of the ISaGRAF framework being integrated into numerous third-party OEM products (e.g., Schneider Electric, Rockwell Automation), many vulnerabilities map to vendor-specific CVEs.*
- **Major CVEs included:**
- **CVE-2020-25209**: CVSS 10.0 (Critical) - Unauthenticated Remote Code Execution.
- **CVE-2020-25211**: CVSS 10.0 (Critical) - Unauthenticated Remote Code Execution.
- **CVE-2020-25210**: CVSS 7.5 (High) - Denial of Service.
- **CWEs:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-287 (Improper Authentication), CWE-20 (Improper Input Validation).
## Affected Systems
- **Products:** ISaGRAF Runtime (embedded in PLCs and industrial controllers), ISaGRAF Workbench.
- **Versions:** ISaGRAF 5, ISaGRAF 6, and derivatives used in OEM products.
- **Configurations:** Systems utilizing the IXL (ISaGRAF eXchange Layer) and SNCP (Simple Network Control Protocol) on TCP ports 1131 and 1132.
## Vulnerability Description
The research identified systemic flaws in the proprietary IXL and SNCP protocols. The primary issues involve:
1. **Lack of Authentication:** Many functions within the IXL protocol allow for system configuration changes and file uploads without requiring credentials.
2. **Memory Corruption:** Buffer overflow vulnerabilities exist in the way the ISaGRAF Runtime parses specifically crafted packets during the synchronization of distributed applications.
3. **Insecure Logic Handling:** The framework allows for the remote replacement of application logic (POU - Program Organization Units), effectively allowing an attacker to overwrite the PLC's control logic.
## Exploitation
- **Status:** PoC available (developed by researchers for demonstration); no confirmed exploitation in the wild at the time of the report.
- **Complexity:** Low to Medium (requires knowledge of the proprietary IXL protocol structure).
- **Attack Vector:** Network (Remote via TCP/IP).
## Impact
- **Confidentiality:** High (Ability to read sensitive process data and project files).
- **Integrity:** Critical (Ability to modify control logic and device configuration).
- **Availability:** Critical (Ability to crash the Runtime or stop the industrial process).
## Remediation
### Patches
- **Schneider Electric:** Refer to advisory SEVD-2020-259-01 for updates to affected products (e.g., SCADAPack).
- **Rockwell Automation:** Refer to Knowledgebase Article PN1555.
- Users of other ISaGRAF-based hardware should contact their specific OEM vendor for firmware updates.
### Workarounds
- **Network Segmentation:** Isolate ICS networks including ISaGRAF devices from the corporate network and the internet.
- **Port Filtering:** Block TCP ports 1131 and 1132 at the perimeter and between functional zones.
- **VPN:** Use secure, authenticated tunnels for any remote engineering access.
## Detection
- **Indicators of Compromise:** Unusual traffic bursts on ports 1131/1132; unauthorized "Login" or "Write" commands observed in protocol logs.
- **Detection Methods:**
- Use Deep Packet Inspection (DPI) capable firewalls to monitor IXL protocol commands.
- Monitor for unauthorized file transfer operations targeting the PLC filesystem.
- Use Kaspersky Industrial CyberSecurity for Networks (KICS) with signatures specifically designed for ISaGRAF protocol anomalies.
## References
- **Vendor Advisory (Schneider):** hxxps[://]www[.]se[.]com/ww/en/download/document/SEVD-2020-259-01/
- **Kaspersky Full Report:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2022/05/23/isapwn-research-on-the-security-of-isagraf-runtime/
- **CISA Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-20-259-04