Full Report
ISaGRAF Runtime stores the password in plaintext in memory and in a file which is located in the same directory with the executable file ISAGRAF.exe.
Analysis Summary
# Vulnerability: ISaGRAF Runtime Cleartext Password Storage
## CVE Details
- CVE ID: CVE-2020-25184
- CVSS Score: 0.0 (None, due to high privilege requirement making exploitation moot under normal circumstances)
- CWE: CWE-256: Plaintext Storage of a Password
## Affected Systems
- Products: Rockwell Automation ISaGRAF Runtime, Devices based on ISaGRAF Runtime Toolkit, AADvance Controller.
- Versions: ISaGRAF Runtime v5 before 5.72.00, AADvance Controller (All firmware versions).
- Configurations: N/A
## Vulnerability Description
The ISaGRAF Runtime component stores target passwords (\`target-password\`) in plaintext both in process memory and in an associated file located within the VirtualStore directory (which is usually alongside the executable). This presents a cleartext information disclosure risk.
## Exploitation
- Status: PoC available (Implied by the existence, but exploitation is impractical to require high privileges)
- Complexity: Low (Technically low skill for file/memory access *if* privileges are already obtained)
- Attack Vector: Local
## Impact
- Confidentiality: High (Plaintext passwords are exposed)
- Integrity: No impact
- Availability: No impact
*Note: The vendor advisory suggests this vulnerability should be ignored because exploitation requires an attacker to already possess administrative privileges, at which point direct access to the system makes exploiting this specific flaw unnecessary.*
## Remediation
### Patches
- Upgrade ISaGRAF Runtime to version **5.72.00 or later**.
### Workarounds
1. **Principle of Least Privilege (PoLP):** Ensure that user/service accounts accessing the Runtime’s folder location are granted the minimum level of rights necessary.
2. **Network Segmentation:** Restrict or block incoming traffic on TCP port **1131** (for ISaGRAF) and TCP port **1132** (for AADvance controllers) from outside the industrial control system (ICS) network zone.
## Detection
- **Indicators of Compromise (IoCs):** Look for read operations against the password file stored within the application's VirtualStore directory by unauthorized processes.
- **Detection Methods and Tools:** Standard file integrity monitoring (FIM) tools checking modification or access to the application directory structure, or memory analysis tools if access to privileged segments is possible.
## References
- Vendor Advisory: hxxps://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- ICS CERT Advisory: hxxps://ics-cert.kaspersky.com/advisories/2021/07/13/klcert-20-026-rockwell-automation-isagraf-runtime-information-disclosure-due-to-cleartext-storage-of-passwords-in-a-file-and-memory/