ABB System 800xA Information Manager

Plan PatchCVSS 8.8ICS-CERT ICSA-20-184-02Jul 2, 2020

ABB

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A code injection vulnerability exists in ABB System 800xA Information Manager that allows an attacker to execute arbitrary code on the information manager server through a malicious website. An unauthenticated, remote attacker can exploit this by crafting malicious web content and deceiving a user into visiting it from a browser on a machine with access to the Information Manager. Successful exploitation could allow the attacker to run arbitrary commands and compromise the industrial control system's data management and operator interface functions.

What this means

What could happen

An attacker could inject malicious code into the System 800xA Information Manager and execute it on the server, potentially gaining control over the industrial control system's data management and operator interface functions.

Who's at risk

This affects organizations running ABB System 800xA automation systems, particularly those using the Information Manager component for process monitoring and operator interface. This includes water utilities, electric utilities, and manufacturing facilities relying on ABB's integrated automation platform.

How it could be exploited

An attacker crafts a malicious website or web content and tricks a user into visiting it from a browser on a machine that can reach the Information Manager server. The vulnerability allows the attacker to inject arbitrary code through the web interface without needing valid credentials.

Prerequisites

User must be tricked into visiting a malicious website from a machine with network access to the Information Manager
The Information Manager must be reachable from the user's browsing environment
The vulnerable version of System 800xA Information Manager must be deployed

remotely exploitableno authentication requiredlow complexityaffects industrial control system operator interfaceuser interaction required (social engineering)

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

System 800xA Information Manager:< 6.0.3.3 RU1No fix yet

System 800xA Information Manager:< 5.1 Rev E/5.1 FP4 Rev E TC6No fix yet

System 800xA Information Manager:< 6.1 RU1No fix yet

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDPrevent web browsing from Information Manager nodes to external networks and block access to malicious websites

WORKAROUNDRestrict network access to the Information Manager to authorized users only and ensure only legitimate persons can reach plant assets

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate System 800xA Information Manager to version 5.1 Rev E/5.1 FP4 Rev E TC6 or later if running the 5.1 track

HOTFIXUpdate System 800xA Information Manager to version 6.0.3.3 RU1 or later if running the 6.0.3 LTS track

HOTFIXUpdate System 800xA Information Manager to version 6.1 RU1 or later if running the 6.1 track

Long-term hardening

0/3

HARDENINGPlace Information Manager systems behind a firewall with minimal exposed ports and no direct Internet connections

HARDENINGIsolate control system networks from the business network

HARDENINGReview Access Enable key usage in AC 800M HI and verify configured access levels of SIL variables match your risk analysis

CVEs (1)

CVE-2020-8477

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d032db1a-6d03-44c4-9b1b-9398f629f6fc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.