| Developers: | ABB Russia (ABB) |
| Branches: | Metallurgical Industry, Chemical Industry |
| Technology: | APCS |
Main article: APCS - typical structure
2025: Vulnerability found in ABB controllers to take over power management
In mid-February, FSTEC warned of the discovery of a critical error BDU:2025-01311[1] controllers in two series of ABB controllers - MATRIX and NEXUS. They found default credentials that attackers can use to gain control over devices. The vulnerability was rated 9.8 out of 10 by CVSS and exists up to version 3.08.03. The error has already been fixed by the manufacturer, but technical support for the company's products in Russia and Belarus has been discontinued since the summer of 2022.
The MATRIX and NEXUS controller series are part of the ABB ASPECT-Enterprise industrial solution, which is designed to manage the power of large buildings and structures. They make it possible to remotely control the power supply of facilities where the solution is deployed. Intercepting control of such systems with default passwords that cannot be changed can give attackers the ability to turn off power in building premises and disable other equipment.
 | Although ABB is the world leader in the production of APCS, their controllers in Russia have found minimal use, - Oleg Ushakov, director of the development of the competence center for industrial automation "T1 Integration," assured TAdviser readers. - Any equipment may fail. If errors are detected, the ability to quickly download updates from the manufacturer is important, which is now impossible with ABB products - the vendor does not support working with the market in Russia and Belarus. |  |
Now IT specialists have to use parallel import channels to bypass restrictions on downloading updates, but at the same time the likelihood of an attack through supply channels increases: bookmarks can be built into the new version of firmware obtained from such sources, so in any case they must be carefully checked before installation. In case users of ABB products fail to install updates from trusted sources, FSTEC experts recommend using the following compensatory measures:
- Use firewalls to restrict remote access to software;
- Compile a "white" list of IP addresses to restrict remote access to vulnerable software;
- Interact with vulnerable components only over secure communication channels.
At the same time, it is important not to let outsiders directly connect to vulnerable controllers, that is, hide them in secure network segments, and in the building where they are installed, prevent foreign devices from connecting to the technological network.
It is worth noting that the topic of hard-coded passwords in engineering software is an old problem. It can be found in a wide variety of situations, so users of APCS products should always first check their solutions for such vulnerabilities.
| | In corporate information systems, it is usually necessary to exclude the use of encoded credentials, - recalled the rules of industrial safety Alexei Zakharov, director of technological consulting at Axiom JDK. - Such defects in the software can usually be prevented by using static code analysis tools or by analyzing it for safety-related deficiencies. Such procedures are regulated in our GOST for the development of safe software. Typically, secure authorization methods, such as enterprise authorization systems, are used to avoid such situations, which use secure algorithms to transmit data and do not store account information locally. | |
2024: Fix vulnerabilities to take control of controllers
ABB controllers have fixed vulnerabilities discovered by experts from Positive Technologies, which announced this on March 19, 2024. An attacker using them could stop the controllers or intercept control of them.
The company ABB thanked Natalia Tlyapova and Denis Goryushev for finding two vulnerabilities in the Freelance AC 900F and AC 700F controllers. These devices are used in, and in metallurgy chemical industries other areas. Vendor was notified of the threat as part of the responsible disclosure policy and issued an update. ON
AC 900F and AC controllers are 700F used to build distributed control systems (DCS) in plants and are designed to automate large continuous cycle plants. ABB is the global DCS market leader with a 20% share. CVE-2023-0425 and CVE-2023-0426 vulnerabilities (access from Russia via VPN) received the same score of 8.6 on the CVSS v3.1 scale, which means a high level of danger.
Positive Technologies application analysis specialists who discovered the vulnerabilities note that by exploiting these security flaws, an attacker could stop the controllers from working and disrupt the technological process. In addition, by sending a specially crafted packet, an attacker could carry out a remote code execution attack, which would allow him to intercept control of the device.
ABB recommends that Freelance 2016 SP1 RU06, Freelance 2019 SP1 RU02 and Freelance 2019 SP1 FP1 RU03 updates be installed as soon as possible. To mitigate the threat, users can also use the measures described in the security notification (access via VPN).
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |