Critical vulnerability in ABB AC500 V3 PLCs allows remote code execution via malformed cryptographic messages.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical stack buffer overflow vulnerability in ABB AC500 V3 controllers to its Known Exploited Vulnerabilities catalog. The vulnerability, tracked as CVE-2023-3519, allows unauthenticated remote attackers to execute arbitrary code on affected devices.
Affected products include ABB AC500 V3 series PLCs running firmware versions prior to 3.10. Attackers can exploit the flaw by sending specially crafted Cryptographic Message Syntax (CMS) messages to the device, causing a buffer overflow that enables remote code execution.
"CISA has determined that this vulnerability poses a significant threat to industrial control systems," the agency stated in its advisory. "Organizations should apply mitigations immediately."
The vulnerability has a CVSS score of 9.8 (Critical), with a base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The high severity rating reflects the potential for complete system compromise without requiring authentication.
ABB has released firmware version 3.10 to address the vulnerability. The fix includes proper bounds checking for incoming CMS messages and implementation of secure memory handling for cryptographic operations.
For organizations unable to immediately update firmware, CISA recommends implementing network segmentation to isolate vulnerable devices. Additional mitigations include:
- Restricting access to the PLC management interface
- Implementing firewall rules to block unnecessary traffic
- Monitoring for anomalous cryptographic message patterns
The vulnerability was discovered by security researchers at Dragos and responsibly disclosed to ABB in June 2023. ABB released the security update on August 15, 2023, with CISA adding the vulnerability to its catalog on September 1, 2023.
Industrial control systems running the vulnerable firmware version should be patched as soon as possible. Production environments should test the update in a non-critical environment before deployment.
Additional information is available in the CISA Advisory AA23-251 and the ABB Security Advisory SA-2023-012.
Comments
Please log in or register to join the discussion