ABB Relion 670 Series

Act Now10ICS-CERT ICSA-19-330-01Nov 26, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability (CWE-22) in ABB Relion 670 series numerical relays allows an attacker with network access to the IEC 61850 protocol interface to read and delete arbitrary files on the device without authentication. Affected versions include Relion 670 series 1.2.3.17 and earlier, 2.0.0.10 and earlier (RES670 2.0.0.4 and earlier), 2.1.0.1 and earlier, and firmware branch 1p1r26 and earlier.

What this means

What could happen

An attacker with network access to the IEC 61850 interface could read sensitive configuration or operational data and delete files from the Relion 670 device, potentially disrupting relay function or erasing critical event logs.

Who's at risk

Electric utility protection and control engineers who operate ABB Relion 670 series numerical relays in distribution, transmission, or substation protection schemes. This affects any facility using the IEC 61850 protocol for protection relay communication or data exchange.

How it could be exploited

An attacker sends a malicious request to the IEC 61850 protocol handler on the Relion 670. The device improperly validates file path inputs (CWE-22 path traversal), allowing the attacker to read arbitrary files on the device or delete them using a single network connection without authentication.

Prerequisites

Network access to the Relion 670 device on the IEC 61850 port (typically TCP 102)
IEC 61850 protocol must be enabled on the device
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackPath traversal vulnerability allows file manipulationAffects critical protection equipment

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Relion 670 series:≤ 1.2.3.17; ≤ 2.0.0.10 (RES670 2.0.0.4 and prior); ≤ 2.1.0.1; ≤ 1p1r261.2.3.18

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable IEC 61850 protocol on Relion 670 devices if not actively used in your SCADA/protection system

HARDENINGRestrict network access to the Relion 670 IEC 61850 port (TCP 102) at the firewall; limit to only authorized engineering and SCADA devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Relion 670 to patched version: 1p1r27 or later, 1.2.3.18 or later, 2.0.0.11 (RES670 2.0.0.5) or later, or 2.1.0.2 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate IEC 61850-capable devices on a separate control network with restricted ingress/egress rules

CVEs (1)

CVE-2019-18253

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc011a96-9d56-4e4a-bd52-4c4fc306badf