Full Report
An attacker with write privileges in VirtualStore folder can perform arbitrary code execution by placing ".dll" files in affected software directory, because the software loads dynamic libraries in an uncontrolled way.
Analysis Summary
# Vulnerability: Rockwell Automation ISaGRAF Runtime Uncontrolled Search Path Element
## CVE Details
- **CVE ID:** CVE-2020-25182
- **CVSS Score:** 6.7 (Medium) - *Note: While the article text mentions "0.0", the provided vector (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) and standard NVD records calculate to 6.7.*
- **CWE:** CWE-427: Uncontrolled Search Path Element
## Affected Systems
- **Products:**
- Rockwell Automation ISaGRAF Runtime v5
- Devices based on ISaGRAF Runtime Toolkit 5
- **Versions:** All versions prior to v5.72.00
- **Configurations:** Systems where users have write privileges to the `VirtualStore` folder and the software is configured to load dynamic libraries without fully qualified paths.
## Vulnerability Description
The ISaGRAF Runtime software loads dynamic link libraries (DLLs) in an uncontrolled manner. Specifically, the application does not properly validate the search path used to locate these libraries. An attacker with high privileges (administrative access) can place a malicious `.dll` file into the `VirtualStore` folder associated with the software directory. When the application (`ISaVM.exe` or `ISaGRAF.exe`) is subsequently executed or restarted, Windows "File Virtualization" may prioritize the malicious DLL in the `VirtualStore`, leading to arbitrary code execution within the context of the application.
## Exploitation
- **Status:** PoC status not explicitly confirmed in text (Publicly documented vulnerability)
- **Complexity:** Low (Requires low skill level to execute the file placement)
- **Attack Vector:** Local (Requires local access to the system and high-level privileges to write to the specific directory)
- **User Interaction:** Required (An administrator or user must restart the application `ISaVM.exe` or `ISaGRAF.exe` for the exploit to trigger)
## Impact
- **Confidentiality:** High (Full access to data handled by the application)
- **Integrity:** High (Ability to modify application logic and system files)
- **Availability:** High (Ability to crash the runtime or disrupt industrial processes)
## Remediation
### Patches
- **Upgrade:** Rockwell Automation recommends upgrading to **ISaGRAF Runtime 5 version 5.72.00** or later.
### Workarounds
- **Least Privilege Principle:** Ensure that the principle of least privilege (POLP) is strictly followed. Limit user and service account access to the Runtime's folder locations, granting only the minimum necessary rights.
- **Access Control:** Restrict write permissions to the application's installation directories and associated `VirtualStore` paths to prevent unauthorized file placement.
## Detection
- **Indicators of Compromise:** Presence of unexpected or unsigned `.dll` files in the `VirtualStore` directory or the software's root installation folder.
- **Detection methods:**
- Monitor for unauthorized file creation events in `%LOCALAPPDATA%\VirtualStore`.
- Use Endpoint Detection and Response (EDR) tools to monitor "Module Load" events for `ISaVM.exe` where the DLL path is not the standard system or application directory.
## References
- **Vendor Advisory:** [https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699] (Requires Login)
- **NVD Entry:** [https://nvd.nist.gov/vuln/detail/CVE-2020-25182]
- **Original Research:** [https://ics-cert.kaspersky.com/advisories/2021/07/13/klcert-20-024-rockwell-automation-isagraf-runtime-code-execution-due-to-uncontrolled-search-path-element/]