Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Several vulnerabilities discovered by Kaspersky researchers in Rockwell Automation software impact industrial products from Schneider Electric, GE and other vendors.


The security holes were identified by Kaspersky researchers in Rockwell Automation’s ISaGRAF, which is designed for the development of automation products.


The most serious of them appears to be CVE-2020-25176, a critical issue that can be exploited by “a remote attacker authenticated on the IXL [ISaGRAF eXchange Layer] protocol to traverse an application’s directory, which could lead to remote code execution.”


Another potentially serious issue is CVE-2020-25178, a high-severity flaw related to the cleartext transmission of information. A remote, unauthenticated attacker can exploit it to upload, read or delete files.


CVE-2020-25184, which has also been rated high severity, can be exploited by a local, unauthenticated attacker to obtain user passwords, which are stored in plain text in a file.


Two other vulnerabilities identified by Kaspersky have been rated medium severity. One allows a local, unauthenticated attacker to execute arbitrary code, while the other can lead to information disclosure and it can be exploited remotely without authentication.


Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series


Evgeny Goncharov, head of the ICS Cyber Emergency Response Team at Kaspersky, told SecurityWeek that the impact of these vulnerabilities — if they were to be exploited in attacks — depends on what the targeted device is used for.


“As some of the affected products are known to be used to control ind ..