Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N
Vendors Products
Schneider-electric
  • Saitel Dp
  • Easergy C5 Firmware
  • Scd2200 Firmware
  • Epas Gtw
  • Pacis Gtw
  • Easergy T300 Firmware
  • Easergy C5
  • Micom C264
  • Micom C264 Firmware
  • Saitel Dr
  • Pacis Gtw Firmware
  • Easergy T300
  • Cp-3
  • Saitel Dp Firmware
  • Mc-31
  • Epas Gtw Firmware
  • Saitel Dr Firmware
Rockwellautomation
  • Micro810
  • Micro830 Firmware
  • Micro810 Firmware
  • Micro850
  • Micro820 Firmware
  • Aadvance Controller
  • Micro830
  • Micro870 Firmware
  • Micro850 Firmware
  • Isagraf Free Runtime
  • Micro820
  • Isagraf Runtime
  • Micro870
Xylem
  • Multismart Firmware

Configuration 1 [-]

AND
cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:schneider-electric:easergy_c5_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:easergy_c5:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:schneider-electric:micom_c264_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:micom_c264:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
OR cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:*:*:*:*:linux:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:*:*:*:*:windows:*:*
cpe:2.3:h:schneider-electric:pacis_gtw:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:schneider-electric:saitel_dp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:saitel_dp:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
OR cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:*:*:*:*:linux:*:*
cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:*:*:*:*:windows:*:*
cpe:2.3:h:schneider-electric:epas_gtw:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:schneider-electric:saitel_dr_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:saitel_dr:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:schneider-electric:scd2200_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:schneider-electric:cp-3:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:mc-31:-:*:*:*:*:*:*:*

Configuration 9 [-]

OR cpe:2.3:a:rockwellautomation:aadvance_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:isagraf_free_runtime:*:*:*:*:*:isagraf6_workbench:*:*
cpe:2.3:a:rockwellautomation:isagraf_runtime:*:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:rockwellautomation:micro810_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro810:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:rockwellautomation:micro820_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro820:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:rockwellautomation:micro830_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro830:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:o:rockwellautomation:micro850_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro850:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND
cpe:2.3:o:rockwellautomation:micro870_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro870:-:*:*:*:*:*:*:*

Configuration 15 [-]

cpe:2.3:o:xylem:multismart_firmware:*:*:*:*:*:*:*:*
References
Link Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 Vendor Advisory
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 Permissions Required
https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 Third Party Advisory US Government Resource
https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf Vendor Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-18T18:00:32

Updated: 2022-03-18T18:00:32

Reserved: 2020-09-04T00:00:00

Link: CVE-2020-25184

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2022-03-18T18:15:09.300

Modified: 2022-10-21T18:55:28.467

Link: CVE-2020-25184

JSON object: View

cve-icon Redhat Information

No data.

CWE