ABB Pulsar Plus Controller: CVSS (Max): 6.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1793
         ICS Advisory | ICSA-23-082-05 ABB Pulsar Plus Controller
                               24 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ABB Pulsar Plus Controller
Publisher:         ICS-CERT
Operating System:  Network Appliance
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-26080 CVE-2022-1607 

Original Bulletin: 
   https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-05

Comment: CVSS (Max):  6.3 CVE-2022-26080 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N)
         CVSS Source: ICS-CERT
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-23-082-05)

ABB Pulsar Plus Controller

Release Date
March 23, 2023

1. EXECUTIVE SUMMARY

  o CVSS v3 6.3
  o ATTENTION: Exploitable remotely/low attack complexity
  o Vendor: ABB
  o Equipment: Pulsar Plus Controller
  o Vulnerabilities: Use of Insufficiently Random Values, Cross-Site Request
    Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to
take control of the product or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ABB Pulsar Plus Controller, are affected:

  o ABB Infinity DC Power Plant - H5692448 G104 G842 G224L G630-4 G451C(2) G461
    (2) - comcode 150047415
  o ABB Pulsar Plus System Controller - NE843_S - comcode 150042936

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

There are several fields in the web pages where a user can enter arbitrary
text, such as a description of an alarm or a rectifier. These represent a cross
site scripting vulnerability where JavaScript code can be entered as the
description with the potential of causing system interactions unknown to the
user. These issues were remediated by adding a check of every field update to
reject suspicious entries.

CVE-2022-1607 has been assigned to this vulnerability. A CVSS v3 base score of
4.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:U/
C:L/I:L/A:N ).

3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

Every interaction with the web server requires a Session ID that is assigned to
the session after a successful login. The reported vulnerability is that the
Session IDs were too short (16 bits), too predictable (IDs simply incremented),
and were plainly visible in the URLs of the web pages. These issues were
remediated by rewriting the web server to follow recommended best practices.

CVE-2022-26080 has been assigned to this vulnerability. A CVSS v3 base score of
6.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:U/
C:L/I:H/A:N ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams,
    Energy, Food and Agriculture, Water and Wastewater
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Vlad Ionescu of Facebook Red Team X reported these vulnerabilities to ABB.

4. MITIGATIONS

ABB has an available update resolving a privately reported vulnerability in the
product versions listed above. The update is version number 5.0.0 for the
application and 5.0.0 for web pages. These updates have been distributed
through the appropriate product support channels with affected users.

ABB recommends users ensure the firewall protection is properly configured.

A workaround suggested by ABB is to use the controller's Read/Write Enable/
Disable feature for a network port (NET1,WRE=0).

The controller can disable all writes over the network port. The factory
default is to have the write capability enabled. However, some users may not
want settings to be remotely changed once systems are set. This feature, when
set to "Disable", will allow no changes to be accepted. Once set, it can only
be changed locally through the front panel.

Although these workarounds will not correct the underlying vulnerability, they
can help block known attack vectors.

For more information, see ABB Security Advisory .

CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls and
    isolate them from business networks.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
    updated to the most current version available. Also recognize VPN is only
    as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.

CISA also recommends users take the following measures to protect themselves
from social engineering attacks:

  o Do not click web links or open attachments in unsolicited email messages.
  o Refer to Recognizing and Avoiding Email Scams for more information on
    avoiding email scams.
  o Refer to Avoiding Social Engineering and Phishing Attacks for more
    information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZB1I5skNZI30y1K9AQiOnA//YUF0PUA8FwWvdnl+DegodrH6dJLuWxui
mhiz10x4dIeqcbYjZxPHhFABCqcihNRWyaQ/98NcrS5dNW+zYJuCo7KkuMlMuicB
DozoM8rqCbEyIaHWFXxUvqY3s+OKtXkyLGyDw6z+Xi34uGV7ffv6hJZ1h72PLB6S
hv4gT0b4M70QgjWpRldwBgHlKXxar8Wj3/FOfyzPxtt1TI6p07EcjOwMHOHMokjf
+uPLZPcze4nKnc35j/ZHZDNMzBEN7zeaj4zkAem7mnBpzH/1qz7RWFaKUWbuzLsY
/xXRSPDgTaniZCeM0OmS3eIM6mGI9KGaxBjGN88m9HhDZXEKpQgo+FwtKicxntQ1
J3/ggfdi7kKLnNyigQ4nl9PpsFqUyLu5YJvF3VS49MFv4GbbN8LxAI/e0DGpQi2/
A/qPoAX6rrqtSy5CR73pY3Vo3F0FXEl+dnD6jnGf8dGRvRrH2YgXIQK9P/j4Z8fO
rEyE+vltld9kXIqwSNTkIl8fly1Jlh5Sxl/DnrzMmg8IhI86ASZRX5fKm8ENrrZk
s14G5Tduru1KChbF+3wuklSC+vIBqlm+n5oeM+uBTOxqcDK+innZZ1WAul0fUIVG
YGsTRPeX7fQf7ERKmLCVE3AJtFcg1vacae0DsYV6MzLTrPNPBHw85VdcHD9gdCUd
4WtaYCw3nGY=
=ksGq
-----END PGP SIGNATURE-----