B&R Aprol

Aprol is a manufacturing process management system that offers extensive scalability to cover every application.

2023: Addressing Five Vulnerabilities

The B&R APROL management system fixed the vulnerabilities identified by Positive Technologies, which announced this on March 7, 2023.

An attacker could penetrate the database of the system that controls production processes.

The Austrian The company, B&R part ABB of the group, thanked Natalia Tlyapova, Senior Specialist in Application Analysis at Positive Technologies, for discovering five vulnerabilities in the APROL production process management system database. The solution is applied in,,, and power machine-building oil and gas food other industries. The manufacturer was notified of the threat as part of a responsible disclosure policy and fixed vulnerabilities in the new versions. ON

The greatest danger was three vulnerabilities that would allow an attacker to perform remote code execution, "said Natalya Tlyapova. - These are CVE-2022-43761 (CVSS score 9.4 v3.1), CVE-2022-43762 (score 7.5) and CVE-2022-43764 (score 9.8). The combination of these errors could be used to penetrate the server running B&R APROL, and CVE-2022-43761 itself made it possible to read and distort information in the database of this system. Such changes could lead to abnormal operation of the control system and disruption of the technological process.

Two more vulnerabilities found by Natalya Tlyapova - CVE-2022-43763 and CVE-2022-43765 (7.5 ratings) - allowed a denial-of-service attack to be carried out.

Users need to install fixed versions of APROL system (R 4.2-07 with AutoYaST or V4.2-070.0.120102). These updates provide secure access to the database using TLSenciphering-.

2019: Identifying multiple vulnerabilities in Aprol's 12 components

On May 30, 2019, Positive Technologies announced that its experts from the security departments of industrial control systems and application analysis have identified multiple vulnerabilities in 12 components of the APROL production process management system of the Austrian company B&R Automation. This control system is used in the oil and gas, energy, engineering and other industries.

The greatest danger is posed by five vulnerabilities (Nos. 5, 7, 8, 10, 11 from the manufacturer's notification), which allow a remote attacker to execute arbitrary code in the APROL system.

[[:Шаблон:Quote 'author = noted Vladimir Nazarov, head of the safety department of industrial control systems at Positive Technologies]]

Among the identified vulnerabilities, memory access errors were found in the TbaseServer component, errors in the AprolLoader and AprolSqlServer components, SQL injections in the EnMon power consumption monitoring and accounting system, and the ability to implement arbitrary commands in the web server.

Vulnerable version users need to install the latest version of APROL R.

According to Positive Technologies, in 2018, the number of vulnerabilities identified in the equipment of various manufacturers of industrial automation systems continued to grow (by 30%), as well as the number of I&C components available on the Internet (by 27%).