ABB created a new version to mitigate a DLL Hijacking vulnerability in its Panel Builder 800 Version 5.1 application, according to a report on ICS-CERT.
Panel Builder 800 Version 5.1 suffers from the issue, discovered by Ivan Sanchez from Nullcode Team.
The vulnerability could allow an attacker who successfully exploits it to insert and run arbitrary code on an affected system.
ABB is a Switzerland-based company that maintains offices in several countries around the world.
The affected products, Panel Builder 800s, are web-based HMI systems. Panel Builder 800s see action across several sectors including critical manufacturing, energy, and transportation systems. These products see action on a global basis.
If an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations.
CVE-2016-2281 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
This vulnerability is not exploitable remotely and cannot end up leveraged without user interaction.
No known public exploits specifically target this vulnerability. Also, crafting a working exploit for this vulnerability would be difficult. An attacker must get malicious code to a specific directory in the file system of a computer where the Panel Builder 800 Version 5.1 ends up used, then get a legitimate user of the Panel Builder 800 Version 5.1 to execute it. This decreases the likelihood of a successful exploit.
ABB recommends any new projects use Panel Builder 800 Version 6.0.
ABB developed and tested the following workaround. It will not correct the underlying vulnerability, but it will block the known attack vector: Remove the association of .pba files with the Panel Builder 800 Version 5.1.
This can be done via: Control Panel\Programs\Default Programs\Set Associations
This workaround has the impact it will no longer be possible to start the Panel Builder 800 Version 5.1 by a double click of a panel 800 project file. The Panel Builder 800 Version 5.1 will need to end up started from a link provided by the product installation, e.g., in the Windows Start menu.