ABB SREA-01 and SREA-50
Act Now9.8ICS-CERT ICSA-17-222-05Aug 10, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
ABB SREA-01 (revisions A, B, C) and SREA-50 (revision A) contain a path traversal vulnerability that allows remote attackers to read arbitrary files on the device without authentication. The vulnerability affects application versions before SREA-01 v3.31.15 and SREA-50 v3.32.8. Public exploits are available. CWE-23.
What this means
What could happen
An attacker could read sensitive files on your relay, including configuration data and potentially hardcoded credentials, without needing a valid account. This could lead to exposure of critical plant operating parameters and passwords.
Who's at risk
This affects ABB SREA-01 and SREA-50 numerical relays used in electrical substations and distribution systems. SREA relays are protection and control devices deployed across transmission and distribution networks. Any operator using these relay models in revisions A, B, C (SREA-01) or revision A (SREA-50) should be concerned.
How it could be exploited
An attacker on the network can send a specially crafted request to the web interface of the SREA-01 or SREA-50 relay using a path traversal payload (e.g., ../../etc/passwd). The device responds with the contents of arbitrary files, revealing configuration, certificates, and credentials stored on the relay.
Prerequisites
- Network access to the web interface port of the SREA-01 or SREA-50 relay
- No credentials required
- Public exploits are available
remotely exploitableno authentication requiredlow complexitypublic exploits availableno patch available for affected revisions
Exploitability
Moderate exploit probability (EPSS 2.1%)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
SREA-50 revision A: application<3.32.8No fix (EOL)
SREA-01 revisions A B C: application<3.31.153.31.15
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDImplement network access controls to restrict who can reach the web interface of SREA-01 and SREA-50 relays. Use firewall rules to limit port access to authorized engineering workstations only.
HARDENINGDisable the web interface on SREA-01 and SREA-50 relays if it is not operationally required; manage the relays via serial console or approved engineering access only.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXEvaluate and test SREA application firmware updates (v3.31.15 for SREA-01, v3.32.8 for SREA-50) in a non-production environment first; apply during a scheduled maintenance window.
Mitigations - no patch available
0/2SREA-50 revision A: application has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment relay management networks from normal IT and field networks using network boundaries and firewall policies; relays should not be directly accessible from non-engineering networks.
HARDENINGMonitor relay access logs and network traffic for suspicious requests to the web interface (port 80/443) or path traversal attempts (URLs containing ../ or %2e%2e).
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/53a23f29-ac59-4fd1-a777-0546a7acb4a4