ABB Ability Symphony Plus

Plan Patch8.8ICS-CERT ICSA-23-068-03Apr 3, 2023

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB Ability Symphony Plus (S+ Operations) contains an authentication bypass vulnerability that allows an unauthorized client to connect to the HMI network servers and act as a legitimate operator without providing credentials. Successful exploitation would allow an attacker to issue commands to control manufacturing processes. The vulnerability affects S+ Operations versions 2.1 SP2 and earlier, 2.2, 3.3 SP1, and 3.3 SP2. ABB has announced security updates are planned for Q3 2023 (for 3.3 SP2) and Q4 2023 (for other versions), with users of 2.1 SP2 and earlier advised to upgrade to version 3.3.

What this means

What could happen

An attacker with network access to the HMI network could impersonate a legitimate S+ Operations client and gain unauthorized control over the manufacturing process, potentially altering setpoints, disrupting operations, or causing safety hazards.

Who's at risk

Manufacturing facilities using ABB Ability Symphony Plus (S+ Operations) for HMI/SCADA control. Affects all current versions: 2.1 SP2 and earlier, 2.2, 3.3 SP1, and 3.3 SP2. Any manufacturing plant relying on S+ Operations for process monitoring and control is at risk.

How it could be exploited

An attacker on the same network segment as the S+ Operations server sends a specially crafted client connection request without credentials. The server lacks proper authentication validation and accepts the connection, allowing the attacker to issue commands to the HMI as if they were an authorized operator.

Prerequisites

Network access to the S+ Operations server on the HMI network
No valid client credentials required

Remotely exploitableNo authentication requiredLow complexityNo patch available yetAffects control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

S+ Operations: 3.3 SP2 (part of SPR1 2023.0)3.3 SP2 (part of SPR1 2023.0)3.3 SP2 (part of SPR2 2023.0) - update planned Q3 2023

S+ Operations: 3.3 SP1 and earlier 3.x versions< 3.3 SP1 3.x3.3 SP2 (part of SPR2 2023.0) - update planned Q3 2023

S+ Operations: 2.22.23.3 SP2 (part of SPR2 2023.0) - update planned Q3 2023

S+ Operations: 2.1 SP2 and earlier 2.x versions< 2.1 SP23.3 SP2 (part of SPR2 2023.0) - update planned Q3 2023

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict network access to S+ Operations servers to only authorized workstations and control rooms

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXDeploy the S+ Operations 3.3 SP2 (part of SPR2 2023.0) security update when released in Q3 2023

HOTFIXDeploy the S+ Operations 3.3 SP1 and earlier 3.x versions security update when released in Q4 2023

HOTFIXDeploy the S+ Operations 2.2 security update when released in Q4 2023

HOTFIXUpgrade S+ Operations 2.1 SP2 and earlier 2.x systems to version 3.3 with security updates to fully resolve the issue

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the HMI network from untrusted networks

CVEs (1)

CVE-2023-0228

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8b5b4b58-7b27-4f61-b12f-99052aab803d