ABB recommends users update to a newer version to mitigate a path traversal vulnerability in its Relion 670 Series, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability, discovered by Kirill Nesterov of Kaspersky Lab, may allow an attacker to read and delete files on the device.
The following versions of Relion 670 series, a protection and control device, suffer from the issue:
• Relion 670 series versions 1p1r26 and prior
• Relion 670 series versions 220.127.116.11 and prior
• Relion 670 series versions 18.104.22.168 and prior (RES670 22.214.171.124 and prior)
• Relion 670 series versions 126.96.36.199 and prior
In the vulnerability, an attacker could use specially crafted paths in a specific request to read or delete files from the device outside the intended directory.
CVE-2019-18253 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
The product sees use mainly in the critical manufacturing and energy sectors. It does, however, see action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
ABB recommends users update to the following or later versions at earliest convenience if IEC 61850 is used:
• Relion 670 series version 1p1r27
• Relion 670 series version 188.8.131.52
• Relion 670 series version 184.108.40.206 (RES670 220.127.116.11)
• Relion 670 series version 18.104.22.168
Updates can be ordered by email.
The only known workaround for this vulnerability is to disable IEC 61850 protocol when not in use. If this is not possible, ABB recommends having a proper security architecture that divides the system in different security zones, and revising the firewall configurations to limit the usage of MMS protocol to the relevant upper networks.
IEC 61850 MMS protocol uses Port 102/TCP.
ABB also recommends these and other proper security practices and firewall configurations (including VPN) be implemented to help protect a process control network from attacks originating outside the network:
• Process control systems are physically protected from direct access by unauthorized personnel.
• Process control systems have no direct connections to the Internet.
• Process control systems are separated from other networks by means of a firewall system that has a minimal number of ports/services exposed.
• Process control systems should not be used for Internet surfing, instant messaging, or receiving emails.
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
• If IEC 61850 protocol isn’t used, make sure it is disabled. This removes the vulnerability.
Click here for more information with the ABB Cybersecurity Advisory.