No Patch Coming for Newly Announced Vulnerabilities in ABB Legacy Products

Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:32:30


Two independent researchers who’ve been warning of the threat of serious attacks against bug-riddled ICS and SCADA systems today issued an alert through ICS-CERT that vulnerabilities in ABB products could lead to DoS attacks or allow an attacker to remotely launch malicious code. No patch is expected.

Terry McCorkle and Billy Rios discovered a stack-based buffer overflow flaw in various components of ABB WebWare Server applications, particularly the COM and ActiveX scripting interfaces that are used across multiple ABB platforms. Other impacted controls provide graphical elements for Web pages and custom human-machine interfaces, according to an ICS -CERT advisory.

Affected products include all versions of ABB WebWare Server (including Data Collector and Interlink); WebWare SDK; ABB Interlink Module; S4 OPC Server; RobotStudio S4 and RobotStudio Lite.

“Because these are legacy products nearing the end of their life cycles, ABB does not intend to patch these vulnerable components,” the advisory states.

At present, there are no known exploits targeting these vulnerable components, but the disclosure are yet another sign the basic security model underlying the ICS systems that run critical services such as power, water and others, is not prepared for the risks now present through Internet connectivity and Web-based mobile devices such as smartphones.

“People are gonna get owned, it’s going to hurt,” McCorkle said in February at a Kaspersky-Threatpost Security Analyst Summit. He and Rios are behind the discovery – and disclosure – of myriad ICS and SCADA bugs that threaten critical infrastructure networks.

Because ABB doesn’t intend to issue a patch, mainly because it no longer actively supports these legacy products at the end of their life cycle, owners of affected products should contact their local ABB Robotics service center or email for mitigation advice.

ICS-CERT recommends taking additional defensive measures such as minimizing critical devices’ exposure to the Internet; placing control system networks and remote devices behind firewalls and isolating them from the business network; and using a VPN or another secure method when allowing remote access.