A path-traversal vulnerability has been learned in ABB Totalflow stream computer systems and controllers that could lead to code injection and arbitrary code execution (ACE).
The higher-risk vulnerability (tracked CVE-2022-0902) has a CVSS v3 of 8.1 and impacted quite a few ABB G5 merchandise. It has been discovered by security gurus at Team82, Claroty’s study arm.
“Attackers can exploit this flaw to acquire root accessibility on an ABB circulation laptop, go through and produce information, and remotely execute code,” the organization wrote in an advisory posted on Tuesday.
In certain, attackers could check out to exploit the vulnerability by producing a specifically crafted message and sending it to an impacted method node.
The procedure would have to have the attacker to have accessibility to the technique network, both immediately or by means of a wrongly configured or breached firewall. They could also set up destructive software package on a system node or infect the network by itself with destructive software program.
Group82 has reported it disclosed the vulnerability to ABB, which promptly unveiled a firmware update that resolves the vulnerability in many solution variations.
“The update eliminates the vulnerability by modifying the way that the Totalflow protocol validates messages and verifies input data,” ABB described.
The advisory also recommends network segmentation as a mitigation system.
“To mitigate this vulnerability, the ABB device must only be linked to a network section that restricts obtain to licensed customers,” reads the ABB technical publish-up. “The vulnerability is only uncovered when the attacker has access to the network the place the ABB gadget is managing Totalflow TCP protocol.”
Even more mitigation strategies include setting up physical controls so no unauthorized personnel can accessibility equipment and networks and scanning all knowledge imported into environments ahead of use to detect likely malware bacterial infections.
A total record of security suggestions, together with particulars about CVE-2022-0902, is available in the primary text of the ABB advisory.
The mitigation comes months soon after the Cybersecurity and Infrastructure Security Company (CISA) issued a new report outlining cybersecurity effectiveness plans (CPGs) for critical infrastructure sectors.
Some parts of this article are sourced from:
www.infosecurity-magazine.com