ABB recommends users apply the latest update to mitigate an improper inputvalidation vulnerability in its Relion 650 and 670 Series, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability, discovered by Ilya Karpov, Evgeniy Druzhinin, and Victor Nikitin of ScadaX, may allow an attacker to reboot the device, causing a denial of service.
The following versions of Relion, a protection and control device, suffer from the issue:
• Relion 650 series versions 188.8.131.52 and prior
• Relion 670 series versions 184.108.40.206 and prior
• Relion 670 series versions 220.127.116.11 and prior
• Relion 670 series versions 18.104.22.168 and prior
In the vulnerability, an attacker may use a specially crafted message to force the device to reboot, which could cause a denial of service.
CVE-2019-18247 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product see use mainly in the critical manufacturing and energy sectors. They also see action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the issue.
ABB recommends users apply the following or later versions at the earliest convenience:
• Relion 650 series version 22.214.171.124
• Relion 670 series version 126.96.36.199
• Relion 670 series version 188.8.131.52
• Relion 670 series version 184.108.40.206
Updates can be ordered by email.
ABB also recommends these and other proper security practices and firewall configurations be implemented to help protect a process control network from attacks originating outside the network:
• Process control systems are physically protected from direct access by unauthorized personnel
• Process control systems have no direct connections to the Internet
• Process control systems are separated from other networks by means of a firewall system that has a minimal number of ports/services exposed
• Process control systems should not be used for Internet surfing, instant messaging, or receiving emails
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system
More information on recommended practices can be found in the ABB Cybersecurity Deployment Guidelines for each product version.
ABB has not identified any workaround; however, firewall rules could be set to block incoming traffic to Port 7001/TCP that originate from outside the network.
In the Relion 650 series Version 1.3, the SPA protocol over TCP/IP could be disabled if it is not in use.
For more information, see the ABB Cybersecurity Advisory.