ABB IP Gateway

Act Now9.8ICS-CERT ICSA-18-156-01Jun 5, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB IP Gateway versions 3.39 and earlier contain authentication and authorization vulnerabilities (CWE-287, CWE-352, CWE-256) that allow unauthenticated remote attackers to perform administrative actions with system privileges. The vulnerabilities stem from weak credential validation and missing CSRF protections, enabling an attacker to gain control of the device and execute arbitrary commands.

What this means

What could happen

An attacker with network access to the IP Gateway could gain administrative control over the device and execute arbitrary commands with full system privileges, potentially enabling them to reconfigure network settings, access connected systems, or disrupt communications on the industrial network.

Who's at risk

This affects any organization using ABB IP Gateway devices in industrial networks, particularly water utilities, power distribution systems, and manufacturing facilities that rely on ABB's gateway devices for SCADA communications and remote management.

How it could be exploited

An attacker sends crafted network requests to the IP Gateway without providing credentials, exploiting weak authentication and authorization checks. The attacker gains administrative privileges and can remotely execute commands to manipulate the device configuration or the systems it manages.

Prerequisites

Network connectivity to the IP Gateway device
No credentials or valid credentials not required

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)no patch available for affected versionsaffects gateway/communication devices

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (1)

ProductAffected VersionsFix Status

IP Gateway:≤ 3.39No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the IP Gateway: place the device behind a firewall and deny external connections. Allow only trusted engineering workstations to communicate with it.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the firmware update from ABB Busch-Jaeger catalogue (link provided in advisory)

Mitigations - no patch available

0/2

IP Gateway: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the control system network from the business network using a demilitarized zone (DMZ) or air gap

HARDENINGIf remote access is required, implement a VPN with strong encryption and keep it updated

CVEs (3)

CVE-2017-7931 CVE-2017-7906 CVE-2017-7933

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3e3b021-6215-43ac-a4bd-2f08b71f1687