ABB M2M Gateway Arbitrary Code Execution in embedded ClamAV (CVE-2023-20032)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(503245);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/14");

  script_cve_id("CVE-2023-20032");
  script_xref(name:"ICSA", value:"25-105-08");

  script_name(english:"ABB M2M Gateway Arbitrary Code Execution in embedded ClamAV (CVE-2023-20032)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"On Feb 15, 2023, the following vulnerability in the ClamAV scanning
library was disclosed: A vulnerability in the HFS+ partition file
parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and
0.103.7 and earlier could allow an unauthenticated, remote attacker to
execute arbitrary code. This vulnerability is due to a missing buffer
size check that may result in a heap buffer overflow write. An
attacker could exploit this vulnerability by submitting a crafted HFS+
partition file to be scanned by ClamAV on an affected device. A
successful exploit could allow the attacker to execute arbitrary code
with the privileges of the ClamAV scanning process, or else crash the
process, resulting in a denial of service (DoS) condition. For a
description of this vulnerability, see the ClamAV blog
[https://blog.clamav.net/].

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-08");
  # https://search.abb.com/library/Download.aspx?DocumentID=2NGA002579&LanguageCode=en&DocumentPartId=pdf&Action=Launch
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?310ae51a");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1aaa3f4f");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

For more information, please refer to ABB's Cybersecurity Advisory 2NGA002579. It provides a comprehensive mapping of
mitigation applicability in relation to each individual vulnerability listed.

ABB recommends the following mitigations:

- Obtain a cellular private access point (APN). A dedicated private cellular access point and respective SIM card
subscriptions can be requested from the cellular service provider. This service doesn't expose the traffic between
remote sites and the main site to the Internet but rather uses the cellular operator's private wide area network (WAN).
Therefore, the ARM600 wouldn't need open ports to the Internet.
- Avoid exposing any system component to the Internet. If the ARM600 must be exposed to the Internet, only the VPN port
should be opened towards the Internet (e.g., Patrol management connections can be configured to use a VPN tunnel, and
remote administration connections can be implemented using an OpenVPN PC-client).
- The ARM600 system is by default not dependent on the name service (DNS). If the name service is not used in the
system, the name service port (TCP/UDP Port 53) can be blocked by a firewall.
- Perform firewall configuration using the 'allowlisting' principle, explicitly allowing only the required ports and
protocols and blocking all other traffic.
- Filter specific ICMP packets from external systems (ICMP type 13 and 14) using a firewall to avoid exposing the system
time.
- If the Internet is used as a WAN medium for carrying VPN tunnels, use a demilitarized zone (DMZ) for terminating
connections from the Internet. Remote connections should terminate in the DMZ network, which would be segregated from
other networks by a firewall. The ARM600 server should be located in this DMZ.
- Change the default user credentials of ARM600 and Arctic wireless gateways into non-defaults and use complex non-
guessable passwords with special characters. Do not reuse passwords within the system.
- Use administrator (i.e., root user) privileges only when required by the task.
- Supporting systems, such as PCs used for configuration, should be frequently updated. If possible, use dedicated site
PCs for upgrading and engineering purposes. At a minimum, PCs should be investigated by running a full virus scan with
recently updated signature files before introducing the PC to the OT system. Any data, such as device configurations and
firmware update files, should be virus scanned prior to transferring to the Arctic system.
- Introduce a backup policy to ensure periodic backups and backup revision numbering. Consider the following:a. Check
that the entire system has backups available from all applicable parts.b. Store the backups in a safe place (e.g. in an
encrypted storage), restricted by role-based access control mechanisms.c. Ensure the security of the configuration PCs
that may have local copies of device configurations.d. Validate the backups to ensure they are working.
- Follow cyber security best practices for installation, operation, and decommissioning as described in the product's
cyber security deployment guideline and user manual.
- Use continuous monitoring (e.g., intrusion detection/prevention tools) to detect anomalies in the system.
- Consider hardening the system according to the following:a. Remove any unnecessary communication links in the
system.b. If possible, close unused physical ports.c. Open only the necessary TCP/UDP ports in the configuration.d.
Remove all unnecessary user accounts.e. Restrict traffic by firewall.f. Allow the traffic only from/to necessary hosts'
IP addresses (i.e., define both source and destination in the firewall rules, where possible).g. Define client IP
address as allowed address in SCADA communication protocols, if such configuration is supported.h. Remove or deactivate
all unused processes, communication ports, and services where possible.i. Use physical access controls to the system
installations (e.g., to server rooms and device cabinets).
- In ARM600SW installations, avoid servers with AMD processors vulnerable to the following: CVE-2021-26401,
CVE-2023-20569 and CVE-2023-20593.
- Avoid using AX88179_178A chipset-based USB-to-ethernet devices.

ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of
software-related ABB products:

- Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them
from any general purpose network (e.g., office or home networks).
- Install physical controls to ensure no unauthorized personnel can access the devices, components, peripheral
equipment, and networks.
- Never connect programming software or computers containing programming software to any network other than the network
intended for the devices.
- Scan all data imported into the environment before use to detect potential malware infections.
- Minimize network exposure for all applications and endpoints to ensure they are not accessible from the Internet
unless they are designed for such exposure and the intended use requires it.
- Ensure all nodes are always up to date with installed software, operating system, and firmware patches, as well as
anti-virus and firewall updates.
- When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may
have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as
secure as the connected devices.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20032");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(120, 787);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/03/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:abb:arm600_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:abb:sw_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/ABB");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/ABB');

var asset = tenable_ot::assets::get(vendor:'ABB');

var vuln_cpes = {
    "cpe:/o:abb:arm600_firmware:-" :
        {"versionEndIncluding": "5.0.3", "versionStartIncluding": "4.1.2", "family" : "AbbM2M"},
    "cpe:/o:abb:sw_firmware:-" :
        {"versionEndIncluding": "5.0.3", "versionStartIncluding": "5.0.1", "family" : "AbbM2M"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);