OTPulse

ABB Panel Builder 800

MonitorCVSS 7ICS-CERT ICSA-18-198-01Jul 17, 2018
ABB
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

ABB Panel Builder 800 is vulnerable to arbitrary code execution when a user opens a specially crafted project file. The vulnerability exists in all versions of Panel Builder 800. An attacker could craft a malicious file and send it to an engineer; when opened, the file would execute arbitrary code with the privileges of the user running Panel Builder 800. This requires social engineering to convince a user to open an untrusted file. No public exploits are known, and the vulnerability is not remotely exploitable. ABB is investigating this issue but has not yet released a corrected version.

What this means
What could happen
An attacker could run arbitrary code on an engineering workstation by embedding malware in a specially crafted Panel Builder 800 project file, potentially allowing modification of control logic or process configurations before deployment to PLCs.
Who's at risk
Engineering teams and automation technicians who use ABB Panel Builder 800 on Windows workstations are affected. This affects any organization operating ABB control systems where engineers develop or modify control logic, including water treatment plants, wastewater facilities, electric utilities, and manufacturing sites.
How it could be exploited
An attacker crafts a malicious Panel Builder 800 project file and sends it to an engineer or technician. When the user opens the file in Panel Builder 800, arbitrary code executes with the privileges of the user running the application. The attacker could then modify control logic, insert unauthorized functionality, or extract sensitive process information from the workstation.
Prerequisites
  • Local access to engineering workstation running Panel Builder 800
  • User must open a specially crafted .pnl or project file (social engineering required)
  • No elevated privileges required
  • No authentication bypass needed
no patch available (end-of-life or vendor investigating)requires user interactionaffects engineering/safety-critical workstationshigh complexity to exploit
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (1)
ProductAffected VersionsFix Status
Panel Builder 800: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGConduct cybersecurity awareness training for all Panel Builder 800 users emphasizing the risks of opening files from unknown or unexpected sources
WORKAROUNDScan all files transferred to engineering workstations with current antivirus software before opening in Panel Builder 800
HARDENINGImplement user account controls with least privilege principle—engineers should not run Panel Builder 800 with administrative rights
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate engineering workstations from business network and Internet; if remote access is needed, use a VPN with current security patches
HOTFIXMonitor for and apply any security updates from ABB when a corrected version becomes available
View full CISA ICS-CERT advisory
API: /api/v1/advisories/039ded8b-aa77-4391-b9f3-ee13622565dd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.