Full Report
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible to traverse the ISaGRAF Runtime application’s directory. Scope ⚠ Scope changed: it is possible to break out from the application’s []
Analysis Summary
# Vulnerability: Rockwell Automation ISaGRAF Runtime Remote Code Execution via Path Traversal
## CVE Details
- **CVE ID:** CVE-2020-25176
- **CVSS Score:** 9.1 (Critical) - *Note: Based on the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H provided in the source.*
- **CWE:** CWE-23: Relative Path Traversal
## Affected Systems
- **Products:**
- AADvance Controller
- ISaGRAF Runtime 5 based controllers
- Micro800 Family (Micro830, Micro850, Micro870)
- ISaGRAF Free Runtime
- **Versions:**
- AADvance: All firmware versions ≤ 1.40
- ISaGRAF Runtime 5: All software versions < 5.72.00
- Micro800: All firmware versions
- ISaGRAF Free Runtime: All software versions < 5.72.00
- **Configurations:** Systems where the ISaGRAF eXchange Layer (IXL) protocol is accessible over the network.
## Vulnerability Description
The ISaGRAF eXchange Layer (IXL) protocol contains commands intended for file operations within the file system. The protocol fails to properly validate parameters pointing to file names for reserved characters (such as `../`). This lack of sanitization allows an attacker to perform a relative path traversal, escaping the intended application directory. By breaking out of the application folder, an attacker can read, modify, or delete any files on the host filesystem with the privileges of the IXL service, ultimately leading to Remote Code Execution (RCE).
## Exploitation
- **Status:** PoC status not explicitly defined in text, but vulnerability is confirmed by the vendor.
- **Complexity:** Low (Low skill level required).
- **Attack Vector:** Network (Remote exploitation requires access to specific ports).
## Impact
- **Confidentiality:** High (Ability to read arbitrary files).
- **Integrity:** High (Ability to modify or upload malicious files).
- **Availability:** High (Ability to delete critical system files).
## Remediation
### Patches
- **ISaGRAF Runtime 5:** Upgrade to version 5.72.00 or later.
- **ISaGRAF Free Runtime:** Upgrade to version 5.72.00 or later.
### Workarounds
- **Least Privilege:** Ensure the ISaGRAF service/user account is granted the minimum necessary rights to the Runtime folder.
- **Micro800 Series:**
- Enable password protection on the controller.
- Set the physical mode switch to "RUN" to prevent unauthorized changes.
- **Network Filtering:** Block or restrict traffic from outside the ICS network zone on the following ports:
- **TCP 1131:** ISaGRAF
- **TCP 1132:** AADvance
- **TCP 44818:** Micro800 series
## Detection
- **Indicators of Compromise:** Monitor for unusual file access patterns or unexpected file uploads/deletions within the ISaGRAF directory and the wider filesystem.
- **Detection methods and tools:** Network intrusion detection systems (IDS) should monitor TCP ports 1131, 1132, and 44818 for directory traversal sequences (e.g., dot-dot-slash) within the IXL protocol payload.
## References
- **Vendor Advisory:** hxxps://rockwellautomation.custhelp[.]com/app/answers/answer_view/a_id/1131699
- **NVD Entry:** hxxps://nvd.nist[.]gov/vuln/detail/CVE-2020-25176
- **Kaspersky Advisory:** hxxps://ics-cert.kaspersky[.]com/advisories/2021/07/13/klcert-20-022-rockwell-automation-isagraf-runtime-code-execution-due-to-relative-path-traversal/