Our Researchers Discover Another Vulnerability
As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.
CVE-2020-24685 is a CVSS 8.6 (CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) remote CPU DoS vulnerability in all of ABB’s AC500 V2 products with onboard ethernet are affected by this vulnerability (with latest firmware v2.5.4) that has been discovered by SCADAfence researcher Yossi Reuven.
ABB is one of the world’s leading electronics and electrical equipment manufacturing companies (holding an overall share in the world DCS market of 19.2%), and is in use by many of our customers.
About The Vulnerability – CVE-2020-24685
AC500 V2 Series is one of ABB’s PLC offerings – designed as a compact entry-level PLCs for small applications. AC500 V2’s communication with Automation Builder (Engineering software package) is done via ABB proprietary wrapper protocol encapsulation of CoDeSys SDE protocol (which works on both TCP and UDP).
A single specially crafted packet sent by an attacker over the ABB protocol on port 1200 will cause a denial-of-service (DoS) vulnerability. The PLC’s CPU will get into fault mode, causing a hardware failure. The PLC then becomes unresponsive and requires a manual (physical) restart to recover. In addition, the buffer overflow condition may allow remote code execution.
What SCADAfence Recommends Asset Owners To Do
Perform an Industrial Vulnerability Management Process
Please refer to our guide on this topic: https://www.scadafence.com/public-preview-a-comprehensive-guide-to-industrial-device-patching/
Monitor for Unauthorized Network Activity and Exploitation
Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network.
Upgrade to the Latest Firmware
ABB has developed a new firmware version 2.8.5 fixing this vulnerability. This firmware version is released for the following affected PLC types:
Currently no firmware update is available to other products in the AC500 V2 line. When ABB makes such a patch available, we recommend asset owners to consider upgrading.
Prevent Unauthorized and Untrusted Access
– Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
– Use within a LAN and block access from untrusted networks and hosts through firewalls.
Special Thanks & Recognition
The SCADAfence Research team would like to thank the ABB team for the collaboration.
SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.
We wrote a Python POC (GPLv3) script of the exploit in action.
Currently, there’s no patch available. As a result, we limit the access to the exploit to vetted individuals only. The exploit is only available for educational and legal research purposes.
Warning: The script will crash the PLC’s CPU – do not use it in production.
To get this free python exploit, please send an email to email@example.com, identify yourself and explain how you’re going to use the exploit. We reserve the right to refuse any request.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.