Details of VAR-202106-1996

ID

VAR-202106-1996

CVE

CVE-2020-25176

TITLE

Rockwell Automation Made ISaGRAF5 Runtime Multiple vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-001882

DESCRIPTION

Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution. Rockwell Automation Provided by the company ISaGRAF5 Runtime contains multiple vulnerabilities: * relative path traversal (CWE-23) - CVE-2020-25176 It was * Plain text storage of authentication information (CWE-256) - CVE-2020-25184 It was * Sending important information in clear text (CWE-319) - CVE-2020-25178 It was * DLL File search paths are not properly controlled (CWE-427) - CVE-2020-25182 It was * Using hardcoded encryption keys (CWE-321) - CVE-2020-25180The expected impacts vary depending on the vulnerability, but some of the following may occur: * Arbitrary code is executed by a remote third party - CVE-2020-25176 It was * Passwords and information may be stolen by local users. - CVE-2020-25184 It was * Files can be uploaded, read, and deleted by a remote third party. - CVE-2020-25178 It was * ISaGRAF Runtime But Microsoft Windows If the vulnerability is running on a local machine, a local attacker may be able to execute arbitrary code. - CVE-2020-25182 It was * Information may be stolen by a remote third party. - CVE-2020-25180. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2020-25176 // JVNDB: JVNDB-2021-001882 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-179128

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	isagraf runtime	scope:	lt	version:	6.0	Trust: 1.0
vendor:	schneider electric	model:	micom c264	scope:	lt	version:	d6.1	Trust: 1.0
vendor:	schneider electric	model:	pacis gtw	scope:	eq	version:	5.1	Trust: 1.0
vendor:	schneider electric	model:	pacis gtw	scope:	eq	version:	6.3	Trust: 1.0
vendor:	rockwellautomation	model:	isagraf runtime	scope:	gte	version:	5.0	Trust: 1.0
vendor:	schneider electric	model:	saitel dp	scope:	lte	version:	11.06.21	Trust: 1.0
vendor:	schneider electric	model:	epas gtw	scope:	eq	version:	6.4	Trust: 1.0
vendor:	schneider electric	model:	saitel dr	scope:	lte	version:	11.06.12	Trust: 1.0
vendor:	xylem	model:	multismart	scope:	lt	version:	3.2.0	Trust: 1.0
vendor:	rockwellautomation	model:	micro820	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	easergy t300	scope:	lte	version:	2.7.1	Trust: 1.0
vendor:	rockwellautomation	model:	micro870	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	pacis gtw	scope:	eq	version:	5.2	Trust: 1.0
vendor:	rockwellautomation	model:	micro810	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	scd2200	scope:	lte	version:	10024	Trust: 1.0
vendor:	rockwellautomation	model:	micro850	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	pacis gtw	scope:	eq	version:	6.1	Trust: 1.0
vendor:	rockwellautomation	model:	micro830	scope:	eq	version:	-	Trust: 1.0
vendor:	rockwellautomation	model:	aadvance controller	scope:	lte	version:	1.40	Trust: 1.0
vendor:	rockwellautomation	model:	isagraf free runtime	scope:	lte	version:	6.6.8	Trust: 1.0
vendor:	schneider electric	model:	easergy c5	scope:	lt	version:	1.1.0	Trust: 1.0
vendor:	rockwell automation	model:	isagraf runtime	scope:	-	version:	-	Trust: 0.8
vendor:	xylem	model:	multismart	scope:	-	version:	-	Trust: 0.8
vendor:	ge steam power	model:	alspa s6 mfc1000	scope:	-	version:	-	Trust: 0.8
vendor:	ge steam power	model:	alspa s6 mfc3000	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	aadvance controller	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	isagraf free runtime	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	micro800	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-001882 // NVD: CVE-2020-25176

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-25176
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2020-25176
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-25176
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-530
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-179128
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-25176
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-179128
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-25176
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2020-25176
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001882
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-179128 // JVNDB: JVNDB-2021-001882 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-530 // NVD: CVE-2020-25176 // NVD: CVE-2020-25176

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-23	Trust: 1.0
problemtype:	Relative past traversal (CWE-23) [IPA evaluation ]	Trust: 0.8
problemtype:	Plain text storage of authentication information (CWE-256) [IPA evaluation ]	Trust: 0.8
problemtype:	Sending important information in clear text (CWE-319) [IPA evaluation ]	Trust: 0.8
problemtype:	Using hardcoded encryption keys (CWE-321) [IPA evaluation ]	Trust: 0.8
problemtype:	Uncontrolled search path elements (CWE-427) [IPA evaluation ]	Trust: 0.8

sources: VULHUB: VHN-179128 // JVNDB: JVNDB-2021-001882 // NVD: CVE-2020-25176

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-530

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Xylem Product Security Advisory	url:	https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699	Trust: 0.8
title:	Rockwell Automation ISaGRAF Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153710	Trust: 0.6

sources: JVNDB: JVNDB-2021-001882 // CNNVD: CNNVD-202106-530

EXTERNAL IDS

db:	NVD	id:	CVE-2020-25176	Trust: 3.3
db:	ICS CERT	id:	ICSA-20-280-01	Trust: 2.5
db:	SCHNEIDER	id:	SEVD-2021-159-04	Trust: 1.7
db:	JVN	id:	JVNVU90811375	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001882	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021120106	Trust: 0.6
db:	CS-HELP	id:	SB2021060920	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2163	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-530	Trust: 0.6
db:	VULHUB	id:	VHN-179128	Trust: 0.1

sources: VULHUB: VHN-179128 // JVNDB: JVNDB-2021-001882 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-530 // NVD: CVE-2020-25176

REFERENCES

url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-159-04	Trust: 1.7
url:	https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699	Trust: 1.7
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01	Trust: 1.7
url:	https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf	Trust: 1.7
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-280-01	Trust: 1.4
url:	http://jvn.jp/cert/jvnvu90811375	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25176	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25178	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25180	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25182	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25184	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2020-25176/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2163	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060920	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021120106	Trust: 0.6

sources: VULHUB: VHN-179128 // JVNDB: JVNDB-2021-001882 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-530 // NVD: CVE-2020-25176

CREDITS

Kaspersky reported these vulnerabilities to Rockwell Automation.

Trust: 0.6

sources: CNNVD: CNNVD-202106-530

SOURCES

db:	VULHUB	id:	VHN-179128
db:	JVNDB	id:	JVNDB-2021-001882
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-530
db:	NVD	id:	CVE-2020-25176

LAST UPDATE DATE

2024-08-14T12:57:48.990000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-179128	date:	2022-04-04T00:00:00
db:	JVNDB	id:	JVNDB-2021-001882	date:	2024-06-20T08:49:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-530	date:	2022-04-06T00:00:00
db:	NVD	id:	CVE-2020-25176	date:	2022-04-04T20:56:17.697

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-179128	date:	2022-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-001882	date:	2021-06-11T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-530	date:	2021-06-08T00:00:00
db:	NVD	id:	CVE-2020-25176	date:	2022-03-18T18:15:09.060