Flaws in ABB network interface modules expose industrial systems to DoS attacks

Industrial technology giant ABB is working on fixes for three high-severity vulnerabilities discovered by researchers in some of the company’s network interface modules.

The vulnerabilities affect Symphony Plus SPIET800 and PNI800, which are network interface modules that enable communications between a control network and a host computer running an engineering tool or human-machine interface (HMI).

Due to the way these products handle certain packets, an attacker with local access to the control network or remote access to a system server may cause a denial of service (DoS) condition that cannot be resolved. than with a manual restart.

The vulnerabilities, discovered by researchers at cybersecurity firm OT Verve Industrial, have been assigned the CVE identifiers CVE-2021-22285, CVE-2021-22286 and CVE-2021-22288, and they have all been rated as “high severity”.

ABB has published a advice for these vulnerabilities in February and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a advisory last week to inform organizations using the affected products of the risks.

The vendor’s initial advisory stated that fixes were planned for Q1 2022, but CISA’s advisory indicates that fixes should be available in Q2. In the meantime, exploitation can be prevented by ensuring that malicious actors cannot gain access to vulnerable devices.

“The vulnerabilities do not require any specific access or permissions on the device,” said Lance Lamont, software engineer at Verve. safety week. “If a network connection can be initiated to the device, the vulnerability can be exploited.”

Regarding the possibility of exploitation from the Internet, Lamont explained: “In the world of OT, there is usually a lot of effort to isolate internal industrial control devices and the Internet in general. Many technologies can be used to mitigate vulnerabilities like this, including firewalls, VPNs, and data diodes. With a properly configured OT infrastructure, it would be very difficult, if not impossible, to exploit these vulnerabilities from the general Internet.

Exploitation of the vulnerabilities could cause disruptions in industrial environments – in addition to the direct impact on SPIET800 and PNI800 devices, systems connected to these devices will also be affected, ABB said.

Asked to describe a theoretical worst-case scenario resulting from the exploitation of these vulnerabilities, Lamont explained, “When these vulnerabilities are exploited, the device no longer interacts on its network port. There is no way to send it remote commands or receive updates until the device is restarted. Given the wide variety of applications for which these devices could be used, it is difficult, if not impossible, to describe the worst case – it would be very different depending on the specifics of this installation.

ABB said in its February advisory that it was not aware of any attacks exploiting these vulnerabilities.

Related: ABB DCS Flaws Allow Hackers to Cause Disruption in Industrial Environments

Related: Vulnerability in ABB Plant Historian disclosed 5 years after discovery

Related: Vulnerability allows hackers to take control of ABB substation protection devices

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs: