A path-traversal vulnerability has been uncovered in ABB Totalflow move desktops and controllers that could lead to code injection and arbitrary code execution (ACE).
The high-risk vulnerability (tracked CVE-2022-0902) has a CVSS v3 of 8.1 and impacted quite a few ABB G5 solutions. It has been discovered by security authorities at Staff82, Claroty’s analysis arm.
“Attackers can exploit this flaw to get root access on an ABB stream personal computer, examine and publish information, and remotely execute code,” the company wrote in an advisory released on Tuesday.
In specific, attackers could try out to exploit the vulnerability by building a specially crafted concept and sending it to an impacted system node.
The procedure would need the attacker to have access to the program network, both directly or by way of a wrongly configured or breached firewall. They could also install malicious software package on a technique node or infect the network itself with destructive software program.
Team82 has stated it disclosed the vulnerability to ABB, which promptly introduced a firmware update that resolves the vulnerability in many products versions.
“The update removes the vulnerability by modifying the way that the Totalflow protocol validates messages and verifies input knowledge,” ABB defined.
The advisory also endorses network segmentation as a mitigation tactic.
“To mitigate this vulnerability, the ABB product ought to only be related to a network section that restricts entry to licensed people,” reads the ABB complex compose-up. “The vulnerability is only uncovered when the attacker has obtain to the network exactly where the ABB gadget is managing Totalflow TCP protocol.”
More mitigation strategies incorporate installing bodily controls so no unauthorized personnel can access units and networks and scanning all facts imported into environments in advance of use to detect probable malware bacterial infections.
A entire list of security tips, along with particulars about CVE-2022-0902, is available in the initial textual content of the ABB advisory.
The mitigation arrives months just after the Cybersecurity and Infrastructure Security Company (CISA) issued a new report outlining cybersecurity efficiency plans (CPGs) for critical infrastructure sectors.
Some elements of this post are sourced from: