A path-traversal vulnerability has been discovered in ABB Totalflow flow computers and controllers that could lead to code injection and arbitrary code execution (ACE).
The high-risk vulnerability (tracked CVE-2022-0902) has a CVSS v3 of 8.1 and affected several ABB G5 products. It has been discovered by security experts at Team82, Claroty’s research arm.
“Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code,” the company wrote in an advisory published on Tuesday.
In particular, attackers could try to exploit the vulnerability by creating a specially crafted message and sending it to an affected system node.
The procedure would require the attacker to have access to the system network, either directly or through a wrongly configured or breached firewall. They could also install malicious software on a system node or infect the network itself with malicious software.
Team82 has said it disclosed the vulnerability to ABB, which promptly released a firmware update that resolves the vulnerability in several product versions.
“The update removes the vulnerability by modifying the way that the Totalflow protocol validates messages and verifies input data,” ABB explained.
The advisory also recommends network segmentation as a mitigation strategy.
“To mitigate this vulnerability, the ABB device should only be connected to a network segment that restricts access to authorized users,” reads the ABB technical write-up. “The vulnerability is only exposed when the attacker has access to the network where the ABB device is running Totalflow TCP protocol.”
Further mitigation strategies include installing physical controls so no unauthorized personnel can access devices and networks and scanning all data imported into environments before use to detect potential malware infections.
A complete list of security recommendations, alongside details about CVE-2022-0902, is available in the original text of the ABB advisory.
The mitigation comes weeks after the Cybersecurity and Infrastructure Security Agency (CISA) issued a new report outlining cybersecurity performance goals (CPGs) for critical infrastructure sectors.