ABB Patches Webserver Hole

Friday, November 16, 2012 @ 01:11 PM gHale

ABB created a patch for the buffer overflow vulnerability in its AC500 PLC Webserver application, which could lead to a denial of service (DoS), affecting the availability of the service, according to a report on ICS-CERT.

This vulnerability relates to the 3S Smart Software Solutions CoDeSys Vulnerabilities as the ABB AC500 PLC uses the CoDeSys Webserver, the report said.

Hole Exists; Wrong Vendor Selected
Patch Fixes C3-ilex Holes
Korenix Fixes Vulnerability
GE Mitigates Proficy Holes

This remotely exploitable vulnerability affects multiple sectors to include the energy, critical manufacturing, and transportation sectors. Exploits that target this vulnerability are publicly available.

The following ABB AC500 CPU modules with firmware Version V2.1.3 and Web server enabled suffer from the issue:
• 1SAP130 300 R0271 PM573-ETH,
• 1SAP140 300 R0271 PM583-ETH,
• 1SAP150 000 R0271 PM590-ETH,
• 1SAP150 100 R0271 PM591-ETH,
• 1SAP150 200 R0271 PM592-ETH,
• 1TNE968 900 R0110 PM554-T-ETH,
• 1TNE968 900 R1110 PM564-T-ETH,
• 1TNE968 900 R1210 PM564-R-ETH, and
• 1TNE968 900 R1211 PM564-R-ETH-AC.

Exploiting this buffer overflow vulnerability in the embedded CoDeSys Web server component used by ABB causes a DoS of the PLC that can only end up recovered after cycling the system’s power. An attacker with a low skill would be able to exploit this vulnerability.

Switzerland-based ABB maintains offices in several countries around the world and develops products in multiple critical sectors used worldwide.

The affected products, AC500 PLCs, are Web-based SCADA systems. According to ABB, the AC500 PLCs see use in several sectors including the energy, critical manufacturing, transportation, and others.

By sending an overly long URL to Port 80/TCP (Port 80 by default, but the device may use any arbitrary port), an attacker could cause a stack-based buffer overflow. This causes a crash of the PLC. The only remediation is to cycle the system’s power.
CVE-2011-5007 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

ABB released a Vulnerability Security Advisory and patch (V2.1.5) that mitigates this vulnerability was available in December 2011. Firmware versions starting from V2.1.4 do not contain the vulnerability. Firmware V2.1.5 is in the ABB PLC download center.

The Web server component is not active in the default configuration of the system. It should only see use if the user needs human-machine interface visualization. PLCs that are continuously running are most likely in a factory environment where additional cyber security measures, such as isolation, and intrusion detection among others, are part of normal security operations and reduce the risk for malware or unauthorized personnel to have a network connection to the PLC.

Leave a Reply

You must be logged in to post a comment.