Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Severity
500647	Schneider Electric Use of Hard-Coded Cryptographic Key in embedded Rockwell Automation ISaGRAF5 Runtime (CVE-2020-25180)	Tenable OT Security	Tenable.ot	medium
500646	Rockwell Automation ISaGRAF5 Runtime Use of Hard-Coded Cryptographic Key (CVE-2020-25180)	Tenable OT Security	Tenable.ot	medium

Detections

Analytics

CVE-2020-25180

medium

Tenable Plugins

medium

medium