ABB Ellipse

MonitorCVSS 6.5ICS-CERT ICSA-17-353-01Dec 19, 2017

ABB

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB Ellipse versions 8.5.26 through 8.9.6 contain an unauthenticated remote information disclosure vulnerability in the maintenance port. An attacker without credentials can connect to the maintenance interface and extract sensitive configuration data, including user credentials, system settings, and other confidential information. The vulnerability affects all recent Ellipse versions released in December 2017 and requires only network access to the maintenance port to exploit. No vendor patches are available.

What this means

What could happen

An attacker with network access to the Ellipse maintenance port could access confidential configuration data including user credentials, which could enable further compromise of the asset management system or connected industrial processes.

Who's at risk

Organizations operating ABB Ellipse (versions 8.5.26 through 8.9.6) for asset management, maintenance planning, or process control integration, particularly utilities, manufacturing plants, and facilities with networked industrial equipment.

How it could be exploited

An attacker on the same network segment as an Ellipse server connects to the maintenance port without authentication and sends commands to extract configuration data, including stored credentials and system settings. No special knowledge or credentials are needed.

Prerequisites

Network access to Ellipse maintenance port (requires same network segment or direct routing)
No authentication credentials required

remotely exploitableno authentication requiredlow complexityaffects maintenance and configuration systemscredential exposure risk

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Ellipse 8.8.12: Release 7 Dec 20178.8.12No fix (EOL)

Ellipse 8.9.6: Release 7 Dec 20178.9.6No fix (EOL)

Ellipse 8.5.26: Release 7 Dec 20178.5.26No fix (EOL)

Ellipse 8.7.18: Release 7 Dec 20178.7.18No fix (EOL)

Ellipse 8.6.21: Release 5 Dec 20178.6.21No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the Ellipse maintenance port using firewall rules; limit to trusted engineering workstations only

HARDENINGMonitor and disable the maintenance port if not actively used for system administration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGChange all stored credentials in Ellipse after implementing network access controls

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Ellipse 8.8.12: Release 7 Dec 2017, Ellipse 8.9.6: Release 7 Dec 2017, Ellipse 8.5.26: Release 7 Dec 2017, Ellipse 8.7.18: Release 7 Dec 2017, Ellipse 8.6.21: Release 5 Dec 2017. Apply the following compensating controls:

HARDENINGSegment the Ellipse server onto a separate network that is not reachable from standard IT networks or the internet

CVEs (1)

CVE-2017-16731

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1dd79544-9f9c-4a56-98fb-57f227b6b071

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.