It took Swiss-based industrial technology solutions provider ABB five years to inform customers of a critical vulnerability affecting one of its products, and the researcher who found it says this increased the chances of threat actors discovering and exploiting the security flaw.
The United States Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency (CISA), this week disclosed the existence of an authentication bypass vulnerability affecting ABB’s Power Generation Information Manager (PGIM) plant historian and data analysis tool, and its predecessor, Plant Connect. The affected products, according to CISA, are used worldwide in a wide range of sectors, including dams, critical manufacturing, energy, water and wastewater, food and agriculture, and chemical.
The flaw, tracked as CVE-2019-18250, is considered critical with a CVSS score of 9.8. It allows an attacker to obtain PGIM credentials and possibly even Windows credentials, enabling them to cause the loss of historical data and events, and possibly gain the privileges required to write data to the control platform.
The ABB Plant Connect product is obsolete and the company plans on transitioning PGIM to limited support in January 2020. ABB’s newest historian product, Symphony Plus Historian, is not impacted and the vendor has advised customers to update to this product or implement workarounds and mitigations that should prevent attacks.
ABB’s handling of CVE-2019-18250
The vulnerability was identified and reported to ABB by Rikard Bodforss of Bodforss Consulting, a Sweden-based consulting company that specializes in IT and OT cybersecurity.
Bodforss told SecurityWeek that he reported his findings to ABB in 2014, shortly after discovering the vulnerability, but the vendor allegedly downplayed the issue at the time. Nevertheless, the vendor had promised him that it would work on a patch and discreetly reach out to affected customers to inform them of the vulnerability.
In reality, it appears that ABB forgot about the vulnerability and failed to inform customers of its existence until recently when Bodforss discussed the flaw at the CS3STHLM ICS/SCADA cybersecurity conference in Sweden. In addition to describing the PGIM flaw, the expert released a proof-of-concept (PoC) exploit that can be used to obtain credentials for the affected product.
Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2020 ICS Cyber Security Conference
Bodforss explained that he could not make his findings public sooner due to the fact that one of his customers had used the vulnerable product. He said the vulnerability was “classified secret and a matter of national security,” which prevented him from disclosing the vulnerability until his customer upgraded its systems earlier this year.
During this time, he was hoping that ABB would issue an advisory to warn impacted organizations, but that did not happen until November 1, roughly a week after Bodforss’ public disclosure.
The researcher says he has worked well with ABB on the issue following his presentation, and the company consulted him on mitigation strategies. “Before [my talk], they treated me like I had the plague,” Bodforss told SecurityWeek.
“I’m certain that threat actors have known about the vulnerability before I made it public, so I’m not losing any sleep over giving the world a working exploit,” Bodforss said. “My problem is that I was prohibited by law to disclose anything until my customer’s environment was patched, so I was relying on ABB to release a public advisory so I could talk about it. As it turned out, they had been so ‘discreet’ about the problem internally, they had forgotten about it.”
ABB, however, says it has not received any information suggesting that the vulnerability has been exploited for malicious purposes.
The company argued that when it announced Symphony Plus Historian in 2016 as a successor of PGIM, it did inform customers through its sales announcement and release notes that the new product contained improved cybersecurity features.
“The new product addressed known security issues present at the time in Power Generation Information Manager 5.1 (PGIM 5.1) and prior versions. With a recent separate advisory for customers that have not transitioned to Symphony Plus Historian, we have additionally described not only the PGIM vulnerability, but also mitigations,” ABB told SecurityWeek. “We are working to ensure that vulnerabilities are addressed in a timely manner.”
According to ABB, the vulnerability allows an attacker who has network access to the targeted PGIM server to obtain PGIM user credentials either by sniffing traffic — the credentials are transmitted without being encrypted — or by sending specially crafted messages to the server. Bodforss demonstrated the second option by creating a client that would ask the server to hand over all usernames and passwords.
The vulnerability can pose an even more serious risk in the case of organizations where Windows credentials are the same as the ones for PGIM. In one test conducted by Bodforss, the PGIM credentials matched Windows domain administrator credentials, which would give the attacker deep access into the network.
Furthermore, ABB warned, “If a plant control system application has been configured to allow data to be written from the PGIM historian system, then an attacker may be able to utilize PGIM to send unauthorized data to the plant control system.”
Related: ABB Patches Many Vulnerabilities in HMI Products