Full Report
A remote attacker is able to read and modify captured data during a Man-in-the-Middle attack, because the affected software uses ISaGRAF eXchange Layer* protocol, which is unencrypted by design.
Analysis Summary
# Vulnerability: Cleartext Transmission in Rockwell Automation IXL Protocol
## CVE Details
- **CVE ID:** CVE-2020-25178
- **CVSS Score:** 6.8 (Medium) — *Note: The provided text contains a CVSS string indicating High impact for Confidentiality/Integrity despite some conflicting score representations.*
- **CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
- **CWE:** CWE-319: Cleartext Transmission of Sensitive Information
## Affected Systems
- **Products:**
- Rockwell Automation ISaGRAF Runtime Toolkit 5
- AADvance Controller
- Micro800 Family (All firmware versions)
- Various controllers based on ISaGRAF Runtime 5
- **Versions:**
- ISaGRAF Runtime 5: Versions prior to 5.72.00
- AADvance Controller: Versions prior to 1.041.3
- **Configurations:** Systems utilizing the proprietary ISaGRAF eXchange Layer (IXL) protocol for communication between the Workbench and Runtime devices.
## Vulnerability Description
The ISaGRAF eXchange Layer (IXL) protocol, used for managing and controlling program resources on industrial devices, is unencrypted by design. Because sensitive information is transmitted in cleartext, a remote attacker positioned to intercept traffic can capture, read, and modify the data stream.
## Exploitation
- **Status:** Vulnerability confirmed by vendor; no specific mention of active exploitation in wild in the provided text.
- **Complexity:** High (Attacker must successfully execute a Man-in-the-Middle (MitM) attack).
- **Attack Vector:** Network (requires access to port 1131/TCP).
- **User Interaction:** Required (A user must initiate communication over the IXL protocol).
## Impact
- **Confidentiality:** High (All data transferred can be read by an attacker).
- **Integrity:** High (Attacker can modify data in transit).
- **Availability:** None reported.
## Remediation
### Patches
- **ISaGRAF Runtime 5:** Upgrade to version 5.72.00 or later.
- **AADvance Controller:** Upgrade to version 1.041.3 or later.
### Workarounds
- **Network Segmentation:** Place control systems behind firewalls and isolate them from business networks.
- **Port Filtering:**
- Block or restrict traffic on **TCP 1131** (General ISaGRAF).
- Block or restrict traffic on **TCP 1132** (Specific to AADvance controllers).
- **Micro800 Specific:** Ensure the controller is protected with a strong password.
- **Secure Infrastructure:** Utilize VPNs, UTM devices, and follow "Defense-in-Depth" principles as outlined in the Converged Plantwide Ethernet (CPwE) guide.
## Detection
- **Indicators of Compromise:** Unencrypted IXL traffic originating from or directed toward unauthorized IP addresses.
- **Detection Methods and Tools:**
- Network traffic analysis (NTA) for activity on TCP ports 1131 and 1132.
- IDS/IPS signatures capable of identifying plaintext IXL protocol patterns.
## References
- **Vendor Advisory:** hxxps://rockwellautomation[.]custhelp[.]com/app/answers/answer_view/a_id/1131699
- **NVD Entry:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2020-25178
- **Kaspersky Advisory:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2021/07/13/klcert-20-023-rockwell-automation-isagraf-runtime-information-disclosure-due-to-cleartext-transmission-of-information-over-ixl-protocol/