ABB Multiple System 800xA Products

MonitorCVSS 7.8ICS-CERT ICSA-20-154-03Jun 2, 2020

ABB

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple ABB System 800xA modules contain vulnerabilities that allow authenticated attackers to crash system nodes or modify runtime process data. Affected modules include the DCI (Distributed Control Interface), Batch Management, OPC Server, MMS Server, SoftControl Base Software, Information Management, RNRP (Real-time Network Redundancy Protocol), MOD 300 interface, and the 800xA Base system. All versions of these products are vulnerable. Exploitation requires valid user credentials and interactive logon capability. ABB has not provided patches and states these will be addressed in future versions only.

What this means

What could happen

An attacker with valid user account credentials could make System 800xA nodes unreachable or alter runtime process data, disrupting production automation and batch operations.

Who's at risk

Water authorities and utilities running ABB System 800xA for industrial automation should be concerned. This affects distributed control systems (DCI), batch process management, real-time data management (RNRP), and the base platform. Any facility using 800xA for process automation, including water treatment, electric generation, or manufacturing, is potentially affected.

How it could be exploited

An attacker with valid credentials to a System 800xA workstation or service account could authenticate to the affected modules (DCI, Batch Management, OPC Server, etc.) and either crash the system node or modify running process parameters. This requires the attacker to already have compromised user credentials or have physical/network access to an authenticated service account.

Prerequisites

Valid user account credentials (local or remote logon)
Access to a System 800xA workstation or network path where the service is running
Interactive logon enabled for the compromised user account

No patch availableAffects automation platform used in critical infrastructureAuthentication required but service account compromise is realisticCould disable system nodes or alter setpoints in critical processes

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 EOL

ProductAffected VersionsFix Status

800xA for DCI: all versionsAll versionsNo fix (EOL)

800xA Batch Management: all versionsAll versionsNo fix (EOL)

800xA Information Management: all versionsAll versionsNo fix (EOL)

MMS Server for AC 800M: all versionsAll versionsNo fix (EOL)

Base Software for SoftControl: all versionsAll versionsNo fix (EOL)

OPC Server for AC 800M: all versionsAll versionsNo fix (EOL)

800xA RNRP: all versionsAll versionsNo fix (EOL)

800xA for MOD 300: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDReset all user account passwords in System 800xA if any are suspected to be compromised

WORKAROUNDDisable interactive logon (local and remote) for all service accounts in System 800xA

HARDENINGRestrict System 800xA user account access to only authorized personnel

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for patched versions when ABB releases future product updates

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: 800xA for DCI: all versions, 800xA Batch Management: all versions, 800xA Information Management: all versions, MMS Server for AC 800M: all versions, Base Software for SoftControl: all versions, OPC Server for AC 800M: all versions, 800xA RNRP: all versions, 800xA for MOD 300: all versions, System 800xA Base: all versions. Apply the following compensating controls:

HARDENINGApply principle of least privilege to all System 800xA user accounts

CVEs (7)

CVE-2020-8478 CVE-2020-8484 CVE-2020-8485 CVE-2020-8486 CVE-2020-8487 CVE-2020-8488 CVE-2020-8489

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f952f132-0a84-4903-b35d-c73bb4804308

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.