Lucene search
K

ABB M2M Gateway HTTP Request Smuggling in embedded Apache HTTP Server (CVE-2023-25690)

🗓️ 27 May 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 28 Views

HTTP Request Smuggling in Apache Server allows bypass of controls; update to 2.4.56 recommended.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690)
21 Mar 202310:02
ibm
IBM Security Bulletins
Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP request splitting attacks due to an error using mod_proxy (CVE-2023-25690).
29 Aug 202321:19
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server
31 Aug 202319:46
ibm
IBM Security Bulletins
Security Bulletin: IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690)
4 Apr 202316:02
ibm
IBM Security Bulletins
Security Bulletin: A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690]
28 Mar 202307:48
ibm
IBM Security Bulletins
Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities
7 Jun 202316:53
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC)
12 Jul 202311:03
ibm
IBM Security Bulletins
Security Bulletin: Cloud Pak System is vulnerable to HTTP request splitting attack.
1 Oct 202419:35
ibm
IBM Security Bulletins
Security Bulletin: IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On uses IBM HTTP Server that is vulnerable to HTTP request splitting (CVE-2023-25690)
29 Mar 202304:38
ibm
IBM Security Bulletins
Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2023
28 Apr 202314:09
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(503262);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/14");

  script_cve_id("CVE-2023-25690");
  script_xref(name:"ICSA", value:"25-105-08");

  script_name(english:"ABB M2M Gateway HTTP Request Smuggling in embedded Apache HTTP Server (CVE-2023-25690)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Some mod_proxy configurations on Apache HTTP Server versions 2.4.0
through 2.4.55 allow a HTTP Request Smuggling attack. Configurations
are affected when mod_proxy is enabled along with some form of
RewriteRule or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is
then re-inserted into the proxied request-target using variable
substitution. For example, something like: RewriteEngine on
RewriteRule ^/here/(.*) http://example.com:8080/elsewhere?$1; [P]
ProxyPassReverse /here/ http://example.com:8080/ Request
splitting/smuggling could result in bypass of access controls in the
proxy server, proxying unintended URLs to existing origin servers, and
cache poisoning. Users are recommended to update to at least version
2.4.56 of Apache HTTP Server.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-08");
  # https://search.abb.com/library/Download.aspx?DocumentID=2NGA002579&LanguageCode=en&DocumentPartId=pdf&Action=Launch
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?310ae51a");
  # http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?44f61e90");
  script_set_attribute(attribute:"see_also", value:"https://httpd.apache.org/security/vulnerabilities_24.html");
  script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html");
  script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202309-01");
  # http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?44f61e90");
  script_set_attribute(attribute:"see_also", value:"https://httpd.apache.org/security/vulnerabilities_24.html");
  script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html");
  script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202309-01");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

For more information, please refer to ABB's Cybersecurity Advisory 2NGA002579. It provides a comprehensive mapping of
mitigation applicability in relation to each individual vulnerability listed.

ABB recommends the following mitigations:

- Obtain a cellular private access point (APN). A dedicated private cellular access point and respective SIM card
subscriptions can be requested from the cellular service provider. This service doesn't expose the traffic between
remote sites and the main site to the Internet but rather uses the cellular operator's private wide area network (WAN).
Therefore, the ARM600 wouldn't need open ports to the Internet.
- Avoid exposing any system component to the Internet. If the ARM600 must be exposed to the Internet, only the VPN port
should be opened towards the Internet (e.g., Patrol management connections can be configured to use a VPN tunnel, and
remote administration connections can be implemented using an OpenVPN PC-client).
- The ARM600 system is by default not dependent on the name service (DNS). If the name service is not used in the
system, the name service port (TCP/UDP Port 53) can be blocked by a firewall.
- Perform firewall configuration using the 'allowlisting' principle, explicitly allowing only the required ports and
protocols and blocking all other traffic.
- Filter specific ICMP packets from external systems (ICMP type 13 and 14) using a firewall to avoid exposing the system
time.
- If the Internet is used as a WAN medium for carrying VPN tunnels, use a demilitarized zone (DMZ) for terminating
connections from the Internet. Remote connections should terminate in the DMZ network, which would be segregated from
other networks by a firewall. The ARM600 server should be located in this DMZ.
- Change the default user credentials of ARM600 and Arctic wireless gateways into non-defaults and use complex non-
guessable passwords with special characters. Do not reuse passwords within the system.
- Use administrator (i.e., root user) privileges only when required by the task.
- Supporting systems, such as PCs used for configuration, should be frequently updated. If possible, use dedicated site
PCs for upgrading and engineering purposes. At a minimum, PCs should be investigated by running a full virus scan with
recently updated signature files before introducing the PC to the OT system. Any data, such as device configurations and
firmware update files, should be virus scanned prior to transferring to the Arctic system.
- Introduce a backup policy to ensure periodic backups and backup revision numbering. Consider the following:a. Check
that the entire system has backups available from all applicable parts.b. Store the backups in a safe place (e.g. in an
encrypted storage), restricted by role-based access control mechanisms.c. Ensure the security of the configuration PCs
that may have local copies of device configurations.d. Validate the backups to ensure they are working.
- Follow cyber security best practices for installation, operation, and decommissioning as described in the product's
cyber security deployment guideline and user manual.
- Use continuous monitoring (e.g., intrusion detection/prevention tools) to detect anomalies in the system.
- Consider hardening the system according to the following:a. Remove any unnecessary communication links in the
system.b. If possible, close unused physical ports.c. Open only the necessary TCP/UDP ports in the configuration.d.
Remove all unnecessary user accounts.e. Restrict traffic by firewall.f. Allow the traffic only from/to necessary hosts'
IP addresses (i.e., define both source and destination in the firewall rules, where possible).g. Define client IP
address as allowed address in SCADA communication protocols, if such configuration is supported.h. Remove or deactivate
all unused processes, communication ports, and services where possible.i. Use physical access controls to the system
installations (e.g., to server rooms and device cabinets).
- In ARM600SW installations, avoid servers with AMD processors vulnerable to the following: CVE-2021-26401,
CVE-2023-20569 and CVE-2023-20593.
- Avoid using AX88179_178A chipset-based USB-to-ethernet devices.

ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of
software-related ABB products:

- Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them
from any general purpose network (e.g., office or home networks).
- Install physical controls to ensure no unauthorized personnel can access the devices, components, peripheral
equipment, and networks.
- Never connect programming software or computers containing programming software to any network other than the network
intended for the devices.
- Scan all data imported into the environment before use to detect potential malware infections.
- Minimize network exposure for all applications and endpoints to ensure they are not accessible from the Internet
unless they are designed for such exposure and the intended use requires it.
- Ensure all nodes are always up to date with installed software, operating system, and firmware patches, as well as
anti-virus and firewall updates.
- When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may
have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as
secure as the connected devices.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-25690");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(444);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:abb:arm600_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:abb:sw_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/ABB");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/ABB');

var asset = tenable_ot::assets::get(vendor:'ABB');

var vuln_cpes = {
    "cpe:/o:abb:arm600_firmware:-" :
        {"versionEndIncluding": "5.0.3", "versionStartIncluding": "4.1.2", "family" : "AbbM2M"},
    "cpe:/o:abb:sw_firmware:-" :
        {"versionEndIncluding": "5.0.3", "versionStartIncluding": "5.0.1", "family" : "AbbM2M"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation