MSGID: 2:263/1.0 55dccbcd
TZUTC: 0100
CHRS: CP850 2
ABB MV Drives
View
CSAF
1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: MV Drives
- Vulnerabilities: Improper Restriction of Operations within
the Bounds of a Memory Buffer, Improper Input Validation, Out-of-bounds
Write
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
gain full access to the drive or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports that the following MV Drives are affected by CODESYS RTS
(Runtime System) vulnerabilities:
- ACS6080: LAAAA 2.10.0 to LAAAB 5.06.1
- ACS5000: LAAAB 4.03.0 to LAAAB 5.06.1
- ACS6000: LAAAA 2.10.0 to LAAAB 5.06.1
3.2 VULNERABILITY OVERVIEW
The CODESYS Control runtime system does not restrict the memory access. An
improper restriction of operations within the bounds of a memory buffer allows
an attacker with access to the drive with user privileges to gain full access
of the drive.
CVE-2022-4046 has been assigned to this vulnerability. A
CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
).
A CVSS v4 score has also been calculated for CVE-2022-4046. A base score of 8.7 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpApp component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37550 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37550. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpApp component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37549 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37549. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpApp component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37548 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37548. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpApp component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37547 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37547. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after a user successfully
authenticates, specially crafted network communication requests with
inconsistent content can cause the CmpApp component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37546 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37546. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpApp component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37545 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37545. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpAppBP component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37556 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37556. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpAppBP component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37555 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37555. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpAppBP component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37554 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37554. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpAppBP component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37553 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37553. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
In multiple versions of various CODESYS products, after successful user
authentication, specifically crafted network communication requests with
inconsistent content can cause the CmpAppBP component to read from an invalid
internal address, potentially leading to a denial-of-service condition.
CVE-2023-37552 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37552. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
3.2.13 OUT-OF-BOUNDS WRITE CWE-787
After successful user authentication in multiple versions of various CODESYS
products, specifically crafted remote communication requests can cause the
CmpAppBP component to overwrite a heap-based buffer, potentially leading to a
denial-of-service condition.
CVE-2023-37557 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37557. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
After successful user authentication in multiple versions of various CODESYS
products, specifically crafted network communication requests with
inconsistent content can cause the CmpAppForce component to read from an
invalid internal address, potentially leading to a denial-of-service
condition.
CVE-2023-37559 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37559. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
After successful user authentication in multiple versions of various CODESYS
products, specifically crafted network communication requests with
inconsistent content can cause the CmpAppForce component to read from an
invalid internal address, potentially leading to a denial-of-service
condition.
CVE-2023-37558 has been assigned to this vulnerability. A
CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
).
A CVSS v4 score has also been calculated for CVE-2023-37558. A base score of 7.1 has been calculated;
the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical
Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
ABB reported these vulnerabilities to CISA.
4. MITIGATIONS
ABB recommends users apply a firmware update as soon as possible to the
latest firmware, i.e. LAAAB v. 5.07 and higher, for the affected products. ABB
has addressed the CODESYS Runtime System vulnerabilities by disabling the IEC
online programming communication by default. As a result, CODESYS
communication between affected products and the ABB Automation Builder or ABB
Drive Application Builder tools is disabled.
It should be noted that the
CODESYS application continues to run on the Drive and if it is necessary to
establish communication with CODESYS RTS, for example to debug the CODESYS
application, this is possible through the drive parameter configuration. Open
the user lock via the "96.02 Pass code" parameter and make sure that bit 9
"Enable online IEC programming" is set to TRUE in the "96.102 User lock
functionality" parameter. IMPORTANT: After this task, be sure to disable
CODESYS communication by setting
the bit back to FALSE.
A future firmware update is planned to update the
CODESYS R
TS library, which will further strengthen defenses for the vulnerabilities
mentioned above.
ABB recommends the following mitigating factors:
To exploit these
vulnerabilities, a successful login to the affected product is required. This
can be achieved by one of the following methods:
- Connecting a computer to the Drive that is running Drive
Automation Builder or Drive Composer.
- Having access to the local network where the drive is located. In this
case, an attacker could send malformed packets directly to the drive.
To
make the attack more difficult and less likely to succeed, provide network
isolation where the drive is located and ensure that no computer running Drive
Automation Builder or Drive Composer is connected to the drive without proper
security controls. Please refer to "General security recommendations" for
further advise on how to keep drive secure.
ABB proposes the following workaround to mitigate this threat for situations
where the above actions are not feasible:
- Set bit 2 "Disable file download" to TRUE in the "96.102 User lock
functionality" parameter.
Although these workarounds will not correct the
underlying vulnerability, they can help block known attack vectors. Please see
below to understand possible reduced functionality of the drive. IMPORTANT:
Contact a qualified and certified ABB personnel for more information about the
parameter handling of the affected products.
Impact of workaround: This
workaround restricts the updating of IEC programs, but existing IEC programs
on Drives can still be used. To update an IEC program, the operator must
unlock the user lock and enable file download in a protected network
environment. It is highly recommended to disable file download, as
vulnerabilities are more easily exploitable when file download is enabled.
WARNING: The user lock cannot be opened even by ABB if the pass code is
lost.
For more information, see ABB's security advisory 9AKK108470A9989.
ABB strongly recommends the following general cybersecurity practices for
any installation of software-related products (this list is non-
xhaustive):
- Isolate special purpose networks (e.g., automation systems) and remote
devices behind firewalls, and separate them from any general-purpose network
(e.g., office or home networks).
- Install physical controls to prevent unauthorized personnel from accessing
devices, components, peripheral equipment, and networks.
- Never connect programming software or computers containing programming
software to any network other than the network intended for the devices.
- Scan all data imported into your environment before use to detect potential
malware infections.
- Minimize network exposure for all applications and endpoints to ensure they
are not accessible from the Internet unless designed for such exposure and
required for the intended use.
- Ensure all nodes are always up to date with installed software, operating
system, and firmware patches, as well as anti-virus and firewall
protections.
- When remote access is required, use secure methods, such as virtual private
networks (VPNs). Recognize that VPNs may have vulnerabilities and should be
updated to the most current version available. Also, understand that VPNs are
only as secure as the connected devices.
- Install the drive in a secure location accessible only to authorized
personnel.
- Install physical controls to ensure only authorized personnel can access
devices connected to the drive (e.g., computers, peripheral equipment, and
networks).
- Avoid connecting computers containing Drive Automation Builder programming
software to any network other than the network intended for the devices.
- Ensure security controls are followed on computers connected to the drive,
such as installing updated security patches, firewalls, and anti-virus
software, and running only authorized software. It is the user's
responsibility to ensure these conditions.
- More information on recommended practices can be found in Protecting operations through cyber security: ABB Drives
solutions.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems
security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense
best practices are available for reading and download, including Improving Industrial
Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity
strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly
available on the ICS webpage at cisa.gov in the technical information
paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and
Mitigation Strategies.
Organizations observing suspected malicious activity should follow
established internal procedures and report findings to CISA for tracking and
correlation against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities
has been reported to CISA at this time.
5. UPDATE HISTORY
- April 22, 2025: Initial Republication of ABB PSIRT 9AKK108470A9989
https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-04
2025-04-22 12:00 UTC
--- BBBS/LiR v4.10 Toy-7
* Origin: MoscowTimes feed - READ ONLY (2:263/1)
SEEN-BY: 105/81 124/5016 128/187 135/115 153/757 154/30 110 203/0
SEEN-BY: 221/0 226/30 227/114 229/110 114 300 307 426 470 700 705
SEEN-BY: 240/1120 263/1 280/464 291/111 292/854 301/1 310/31 341/66
SEEN-BY: 460/58 467/888 633/280 902/26 5020/715
PATH: 263/1 280/464 292/854 229/426
| 