Full Report
A remote attacker is able to decrypt passwords captured during a Man-in-the-Middle attack, because the affected software uses Tiny Encryption Algorithm (TEA) algorithm with fixed keys to encrypt transmitted passwords over ISaGRAF eXchange Layer* protocol.
Analysis Summary
# Vulnerability: Hard-coded Key in ISaGRAF Runtime Allows Password Decryption
## CVE Details
- CVE ID: CVE-2020-25180
- CVSS Score: 4.8 (Medium)
- CWE: CWE-321: Use of Hard-coded Cryptographic Key
## Affected Systems
- Products: Rockwell Automation ISaGRAF Runtime Toolkit, AADvance Controller, Based on ISaGRAF Runtime 5 controllers
- Versions: ISaGRAF Runtime 5 before version 5.72.00, AADvance Controller before version 1.041.3
- Configurations: Environments using the ISaGRAF eXchange Layer (IXL) protocol for password transmission.
## Vulnerability Description
The affected software utilizes the Tiny Encryption Algorithm (TEA) with fixed, hard-coded cryptographic keys to encrypt passwords transmitted over the proprietary ISaGRAF eXchange Layer (IXL) protocol. A remote attacker capable of performing a Man-in-the-Middle (MiTM) attack can intercept the encrypted traffic, and due to the predictable, fixed keys, decrypt the captured passwords.
## Exploitation
- Status: PoC available (Implied by the nature of the flaw and context, though not explicitly stated if public PoC exists; the vulnerability is remotely exploitable)
- Complexity: High (Requires the attacker to execute a Man-in-the-Middle attack)
- Attack Vector: Network (Requires network access to the target, specifically port 1131/TCP for ISaGRAF)
## Impact
- Confidentiality: High (Passwords can be leaked)
- Integrity: Low/None (No direct impact implied on control/integrity)
- Availability: Low/None (No direct impact implied on system availability)
## Remediation
### Patches
- Upgrade to ISaGRAF Runtime 5 version 5.72.00 or later.
### Workarounds
- **Network Segmentation:** Minimize network exposure for all control system devices. Isolate control systems behind firewalls and other security appliances (UTM, VPN).
- **Port Restriction:** Restrict or block traffic on TCP port 1131 (used by ISaGRAF) from outside the industrial control system network zone.
- **AADvance Specific:** Restrict or block traffic on TCP port 1132 for AADvance controllers from outside the ICS network zone.
- **Principle of Least Privilege:** Implement least-privilege access controls for ISaGRAF components.
## Detection
- **Indicators of Compromise:** Suspicious network traffic targeting TCP ports 1131/TCP (and potentially 1132/TCP) communicating with ISaGRAF Runtime devices, especially if originating from un-trusted network segments.
- **Detection Methods and Tools:** Network monitoring tools capable of inspecting protocol handshakes or traffic patterns associated with the IXL protocol, specifically looking for communication on ports 1131/TCP.
## References
- Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- Best Practices Guide: hxxps://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf
- Port Information: hxxps://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/0898270