ABB won't patch industrial control system flaw

ABB does not plan to patch an arbitrary code execution vulnerability in components of itsWebWare Server application because it is a legacy product nearing the end of its lifecycle
ABB does not plan to patch an arbitrary code execution vulnerability in components of itsWebWare Server application because it is a legacy product nearing the end of its lifecycle

Independent researchers Terry McCorkle and Billy Rios identified a buffer overflow vulnerability that could allow an attacker to execute arbitrary code and remotely gain control of the target machine. The flaw could also be used for a denial-of-service attack and privilege escalation, according to an advisory issued by the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

But because the system is near the end of its lifecycle, ABB no longer supports it and does not plan to issue a patch, despite the risk that an attacker could remotely take over the industrial machine. While there are no known exploits targeting these components, crafting an exploit would only require a medium skill level, ICS-CERT judged.

The researchers found vulnerabilities in the COM and scripting interfaces of the WebWare Server products, which include the WebWare Server (including Data Collector and Interlink), WebWare SDK, ABB Interlink Module, S4 OPC Server, QuickTeach, RobotStudio S4, and RobotStudio Lite.

The products are used in several different roles in a factory. WebWare Server is used for data gathering and backup handling; WebWare SDK, ABB Interlink Module, and S4 OPC Server are used for communications to and from a robot controller; and QuickTeach, RobotStudio S4, and RobotStudio Lite are PC tools used for training, installation, and programming of a robot cell.

ABB customers using these products are encouraged to contact their local ABB Robotics service organization or send questions to: cybersecurity@ch.abb.com.

Commenting on the vulnerability disclosure, Anne Saita wrote on Kaspersky Lab’s Threat Post that this is “yet another sign the basic security model underlying the ICS systems that run critical services such as power, water and others, is not prepared for the risks now present through internet connectivity and web-based mobile devices such as smartphones.”

What’s hot on Infosecurity Magazine?