ABB has new software version to handle an improper input validation vulnerability in its CP400 Panel Builder TextEditor 2.0, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Ivan Sanchez of NullCode, may allow an attacker to execute arbitrary code, and cause a denial-of-service condition within the Text Editor application.
A Control Panel Software Suite, CP400PB, Panel Builder for CP405 and CP408, Versions 2.0.7.05 and prior suffer from the vulnerability.
The application contains a vulnerability in the file parser of the Text Editor wherein the application doesn’t properly prevent the insertion of specially crafted files.
CVE-2018-19008 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.0.
The product sees use in the chemical, critical manufacturing, dams, energy, food and agriculture, and water and wastewater sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. High skill level is needed to exploit.
ABB recommended users of affected Versions 2.0.7.05 and prior update to the latest Version 22.214.171.124.
For additional information, see the ABB advisory ABBVU-IACT-3BSE091042.
SECURITY – CP400 Panel Builder TextEditor 2.0, Improper input validation vulnerability ABBVU-IACT-3BSE091042
ABB also recommends the following security practices and firewall configurations to protect process control networks from attacks that originate from outside the network:
• Conduct or reinforce cybersecurity awareness training for users
• Follow general cybersecurity best practice recommendations for industrial control systems
• Be aware that it is possible to infect Panel Builder files with malware
• Be careful with files that are received unexpectedly and/or from unexpected sources
• Carefully inspect any files transferred between computers, scan them with up-to-date antivirus software, so that only legitimate files are transferred
• Manage user accounts following the principle of least privilege
More information on recommended practices can be found in ABB’s Security for Industrial Automation and Control Systems paper – 3BSE032547.