CVE-2020-25176

Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.

CVSS v3 9.8 CRITICAL
CVSS v2.0 9.3 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04	Mitigation Vendor Advisory
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699	Permissions Required
https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01	Third Party Advisory US Government Resource
https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:schneider-electric:easergy_c5_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:easergy_c5:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:schneider-electric:micom_c264_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:micom_c264:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1:::::windows::
	cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2:::::windows::
	cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1:::::windows::
	cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:::::linux::
	cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:::::windows::

cpe:2.3:h:schneider-electric:pacis_gtw:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:schneider-electric:saitel_dp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:saitel_dp:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

OR	cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:::::linux::
	cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:::::windows::

cpe:2.3:h:schneider-electric:epas_gtw:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:schneider-electric:saitel_dr_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:saitel_dr:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:schneider-electric:scd2200_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:schneider-electric:cp-3:-:::::::*
	cpe:2.3:h:schneider-electric:mc-31:-:::::::*

Configuration 9 (hide)

OR	cpe:2.3:a:rockwellautomation:aadvance_controller::::::::
	cpe:2.3:a:rockwellautomation:isagraf_free_runtime::::::isagraf6_workbench::*
	cpe:2.3:a:rockwellautomation:isagraf_runtime::::::::

Configuration 10 (hide)

AND

cpe:2.3:o:rockwellautomation:micro810_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:rockwellautomation:micro810:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:rockwellautomation:micro820_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:rockwellautomation:micro820:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:rockwellautomation:micro830_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:rockwellautomation:micro830:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:rockwellautomation:micro850_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:rockwellautomation:micro850:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:rockwellautomation:micro870_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:rockwellautomation:micro870:-:*:*:*:*:*:*:*

Configuration 15 (hide)

cpe:2.3:o:xylem:multismart_firmware:*:*:*:*:*:*:*:*

History

04 Apr 2022, 20:56

Type	Values Removed	Values Added
CWE		CWE-22
References	~~(CONFIRM) https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 -~~	(CONFIRM) https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 - Third Party Advisory, US Government Resource
References	~~(CONFIRM) https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 -~~	(CONFIRM) https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 - Mitigation, Vendor Advisory
References	~~(CONFIRM) https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 -~~	(CONFIRM) https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 - Permissions Required
References	~~(CONFIRM) https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf -~~	(CONFIRM) https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf - Third Party Advisory
CPE		cpe:2.3:h:rockwellautomation:micro870:-:::::::* cpe:2.3:h:schneider-electric:easergy_t300:-:::::::* cpe:2.3:h:rockwellautomation:micro820:-:::::::* cpe:2.3:o:schneider-electric:saitel_dp_firmware:::::::: cpe:2.3:o:schneider-electric:micom_c264_firmware:::::::: cpe:2.3:o:schneider-electric:scd2200_firmware:::::::: cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1:::::windows:: cpe:2.3:o:xylem:multismart_firmware:::::::: cpe:2.3:h:schneider-electric:epas_gtw:-:::::::* cpe:2.3:h:schneider-electric:micom_c264:-:::::::* cpe:2.3:h:schneider-electric:easergy_c5:-:::::::* cpe:2.3:a:rockwellautomation:isagraf_free_runtime::::::isagraf6_workbench::* cpe:2.3:h:schneider-electric:mc-31:-:::::::* cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:::::linux:: cpe:2.3:o:schneider-electric:saitel_dr_firmware:::::::: cpe:2.3:o:schneider-electric:easergy_c5_firmware:::::::: cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:::::windows:: cpe:2.3:h:schneider-electric:cp-3:-:::::::* cpe:2.3:o:rockwellautomation:micro820_firmware:-:::::::* cpe:2.3:h:rockwellautomation:micro810:-:::::::* cpe:2.3:o:rockwellautomation:micro810_firmware:-:::::::* cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2:::::windows:: cpe:2.3:h:rockwellautomation:micro850:-:::::::* cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:::::linux:: cpe:2.3:h:rockwellautomation:micro830:-:::::::* cpe:2.3:o:rockwellautomation:micro850_firmware:-:::::::* cpe:2.3:h:schneider-electric:pacis_gtw:-:::::::* cpe:2.3:h:schneider-electric:saitel_dp:-:::::::* cpe:2.3:a:rockwellautomation:isagraf_runtime:::::::: cpe:2.3:o:schneider-electric:easergy_t300_firmware:::::::: cpe:2.3:o:rockwellautomation:micro830_firmware:-:::::::* cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1:::::windows:: cpe:2.3:o:rockwellautomation:micro870_firmware:-:::::::* cpe:2.3:a:rockwellautomation:aadvance_controller:::::::: cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:::::windows:: cpe:2.3:h:schneider-electric:saitel_dr:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 9.3 v3 : 9.8

18 Mar 2022, 19:12

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-18 18:15

Updated : 2024-02-04 22:29

NVD link : CVE-2020-25176

Mitre link : CVE-2020-25176

CVE.ORG link : CVE-2020-25176

JSON object : View

Products Affected

schneider-electric

cp-3
saitel_dr
easergy_c5
easergy_t300_firmware
mc-31
scd2200_firmware
pacis_gtw
saitel_dp_firmware
epas_gtw
micom_c264
saitel_dr_firmware
easergy_c5_firmware
easergy_t300
micom_c264_firmware
pacis_gtw_firmware
saitel_dp
epas_gtw_firmware

rockwellautomation

isagraf_runtime
micro810
aadvance_controller
isagraf_free_runtime
micro810_firmware
micro870_firmware
micro830_firmware
micro820
micro870
micro850
micro830
micro850_firmware
micro820_firmware

xylem

multismart_firmware

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23

Relative Path Traversal

9.8 /10