icsa-23-068-03
Vulnerability from csaf_cisa
Published
2023-04-03 13:25
Modified
2023-04-03 13:25
Summary
ABB Ability Symphony Plus
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of this vulnerability could allow an unauthorized client to connect to the S+ Operations servers (human machine interface (HMI) network), to act as a legitimate S+ Operations client.
Critical infrastructure sectors
Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater
Countries/areas deployed
Worldwide
Company headquarters location
Switzerland
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Recommended Practices
Do not click web links or open attachments in unsolicited email messages.
Recommended Practices
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Recommended Practices
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
Recommended Practices
No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network. This vulnerability has low attack complexity.
{
"document": {
"acknowledgments": [
{
"organization": "ABB",
"summary": "reporting this vulnerability on their website publicly"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of this vulnerability could allow an unauthorized client to connect to the S+ Operations servers (human machine interface (HMI) network), to act as a legitimate S+ Operations client.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Switzerland",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Do not click web links or open attachments in unsolicited email messages.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network. This vulnerability has low attack complexity.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-23-068-03 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2023/icsa-23-068-03.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-23-068-03 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-03"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/Recommended-Practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://cisa.gov/ics"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
}
],
"title": "ABB Ability Symphony Plus",
"tracking": {
"current_release_date": "2023-04-03T13:25:41.249897Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-23-068-03",
"initial_release_date": "2023-04-03T13:25:41.249897Z",
"revision_history": [
{
"date": "2023-04-03T13:25:41.249897Z",
"legacy_version": "1",
"number": "1",
"summary": "CSAF Creation Date"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "3.3 SP2 (part of SPR1 2023.0)",
"product": {
"name": "S+ Operations: 3.3 SP2 (part of SPR1 2023.0)",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "S+ Operations"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 3.3 SP1 3.x",
"product": {
"name": "S+ Operations: 3.3 SP1 and earlier 3.x versions",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "S+ Operations"
},
{
"branches": [
{
"category": "product_version",
"name": "2.2",
"product": {
"name": "S+ Operations: 2.2",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "S+ Operations"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 2.1 SP2",
"product": {
"name": "S+ Operations: 2.1 SP2 and earlier 2.x versions",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "S+ Operations"
}
],
"category": "vendor",
"name": "ABB"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0228",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "An unauthorized client able to connect to the ABB S+ Operations servers (HMI network) can act as a legitimate S+ Operations client, reading any data and changing its configuration, which could result in corruption of data, unauthorized disclosure of information, unexpected operation of equipment or causing the product or system to stop (denial-of-service condition). CVE-2023-0228 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0228"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "ABB advises all users to review their installations to determine if they are using an impacted product as listed above. End users should immediately apply the mitigations listed below to restrict or prevent an attacker\u2019s ability to compromise these systems.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "S+ Operations 3.3 SP2 (part of SPR2 2023.0): deploy the upcoming update for this version; planned release within Quarter (Q) 3 2023.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "S+ Operations 3.3 SP1 and earlier 3.x versions: deploy the upcoming update for this version; planned release within Q4 2023.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "S+ Operations 2.2: deploy the upcoming update for this version; planned release within Q4 2023.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "S+ Operations 2.1 SP2 and earlier 2.x versions: upgrade the system to version S+ Operations 3.3 with the updates described above to mitigate the issue completely.In addition to the updates above, ABB recommends users follow the mitigating factors as described below:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Follow the ABB\u0027s recommended approach of designing and deploying a secure network for industrial use, ICS Cyber Security Reference Architecture Guide, 8VZZ000368D0066\u2014S+ Operations is not intended to be directly connected to the internet.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://login.microsoftonline.com/372ee9e0-9ce0-4033-a64a-c07073a91ecd/oauth2/v2.0/authorize?client_id=88fb8a86-3cd9-4c2b-b649-f2faf14ca03d\u0026redirect_uri=https%3A%2F%2Fsearch.abb.com%2Fsignin-oidc\u0026response_type=code\u0026scope=openid%20profile%20offline_access%20email\u0026code_challenge=FglMB73hz9BqOPqIMs4az18Zi2lpaX_R3tkDOzFqtdM\u0026code_challenge_method=S256\u0026response_mode=form_post\u0026nonce=638133976753389181.Y2EwY2NlNmMtODM5YS00MDE0LWI5ZGQtNzZjMGYzMjE0YWEyOGNhYjE4MmUtMDY3NC00MWY0LWI4OWYtNGIyNTEyOTgzMTk4\u0026client_info=1\u0026x-client-brkrver=IDWeb.1.25.10.0\u0026state=CfDJ8HNRo0bisw1Kg1fvNdc8yo0oUKgav3Ie8YwdzV3ekmyVTwEsM5HejhskUC_QB9NR5iMTIxMJBlY0JOSIZTBh-e6wWbs0yhecZAKyo0OCXQfZ0gsqf4DIVBpXyJ01xt18NmLh0QipBHLVT42gkLTlrSSvxhA_Ke33x6oPREMARos6H2f0oebUPS1Q6accAX9pUUaXBpgTqfl28Awi4yuEAFv9ZPBQQU9HRa0Ntp-G0yIfTVkQZj7CfN6o3koLgKNxhJwTF-JYAaYZwamSHwQdUhRJ4B0z8eg4-e7CJhW6LbrJdAqye1PnSWHoD_TG7lIXpAQeOsVv2oGyxn6A77gUdSi02GMC0iu0L0UfKX88XdZ09i2qmEgb-9W08kxoweYhP1kUPLrmf-KSnREFcLdWxNhqpNHcq6u4UvAonxHo8ahLo09mEs0U7MUCZSr0CXKrAaMak5FwWr9e3FYBdVD425oWUIP-s_aqQpx0d4oexi0O3IVUH5FSkzs-lETskmqAaTg_1ov3REiDqgS2eLA6fCCwG8qhVP9_e0cAD_eG8ALlnhHjaQDENFeLNFhnG0o6VQ\u0026x-client-SKU=ID_NET6_0\u0026x-client-ver=6.25.1.0"
},
{
"category": "vendor_fix",
"details": "Enable host authentication and data integrity via IPsec\u2014documented in \u201cSymphony Plus Secure deployment guide for Windows 10 and Server 2016/2019 user manual\u201d, 8VZZ001006T0001\u2014to prevent an attack by an unauthorized client able to connect to the S+ Operations servers (HMI network).",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://login.microsoftonline.com/372ee9e0-9ce0-4033-a64a-c07073a91ecd/oauth2/v2.0/authorize?client_id=88fb8a86-3cd9-4c2b-b649-f2faf14ca03d\u0026redirect_uri=https%3A%2F%2Fsearch.abb.com%2Fsignin-oidc\u0026response_type=code\u0026scope=openid%20profile%20offline_access%20email\u0026code_challenge=xHFVx1KTzW1wBjYPLmEemm194fuffzBWxHAJqA_2BYM\u0026code_challenge_method=S256\u0026response_mode=form_post\u0026nonce=638133977256478765.MTQ1N2Y4NGEtN2YzMS00NGE5LTg1YjItZjZiMTU3OGQxMWJkM2YzY2E5NjctZjY4NC00ZWYyLWE4NDMtOWJmZDM2NmMwYjhl\u0026client_info=1\u0026x-client-brkrver=IDWeb.1.25.10.0\u0026state=CfDJ8HNRo0bisw1Kg1fvNdc8yo2yaN6PUv2jb2yxPdFQO07cizx_dAjHcHUC5j40TI08L6WhxjJBigihEJUKHRNO3eEVJVoBjVTyXNC7_cqfwjr3mCZUc1YEXV7lioDAjNeqcLp5erSJm7LvJ_tBs0AZjtP--S0iuDItWWjbZ6Ldz_8W99jecV_deSwReUk4gS6ySgdskbB5fpz9R1xXlNL94KhxNMII1AKj-ZkAcrtEUkGb3FF-ZDMKtAfvZtIfynzHY5BWGjVPBA8CrxjKZ5RoXdheadkxdAxY2pL14gFVYRbHpC2uIH1J6HNTTNV8s5g4Dcc5L_jrqi7y9fdIOb3D75drI2b6DOX9Vd9VQlkbOELDkWvY0mHwvIFiRyPQAMWPilyzA8c-FOdGBHgIv8Ad_Q8ofiA7ROMSC4S9ba1MdkuI4AtTSGc-xKIg2u0lJKJqIyrVtzQCdCPryTvQYm61EP7jiyWZyTKFoIb2nL82qY-J8N9GucjMWcfGWH-pov_1_oTtGkvCCb8iFbZIrVopM4gRYbJQQHR51hGatXiNgg78bQ0Otsc8k-waUzPlOyazmA\u0026x-client-SKU=ID_NET6_0\u0026x-client-ver=6.25.1.0"
},
{
"category": "vendor_fix",
"details": "Apply security countermeasures at host-level to mitigate the likelihood of an attack to the S+ Operations client machine, like hardening practices and use of malware prevention solutions\u2014see section \u201cWhat is the scope of the vulnerability?For more information, see ABB\u0027s cybersecurity advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA006722"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.