ABB Refuses to Patch Vulnerabilities in Legacy Systems

Researchers Terry McCorke and Billy Rios identified a buffer overflow flaw in a number of components of the ABB WebWare Server applications that are currently being used in many legacy ABB products. However, because they’re approaching the end of their life cycle, the company revealed that no patches should be expected.

According to an ICS-CERT advisory, there are still some Industrial Control Systems (ICS) which rely on products such as ABB’s WebWare Server SDK, ABB Interlink Module, S4 OPC Server, QuickTeach and RobotStudio Lite.

As the researchers highlight, some of the COM and ActiveX components inside them present vulnerabilities in the COM and scripting interfaces.

The products are designed to facilitate communications with the robot controller, some provide graphical elements for webpages and others are used for human-machine interfaces (HMI).

If the vulnerabilities from these products were to be exploited successfully, an attacker could cause a denial-of-service state for the application and even execute his own malicious code.

For the time being there are no known exploits that target the flaws in the aforementioned components, but developing one requires only a medium skill level.

“Users of these products are directed to the available documentation on mitigating risk and securing their machines and production environments. Because these are legacy products, ABB does not intend to patch these vulnerable components,” reads the ICS-CERT report.

The defensive measures that can be implemented to mitigate potential attacks include the minimization of network exposure for all systems, ensuring that critical section cannot be accessed from the Internet.

Another step is to place control system networks behind firewalls, and finally, the use of Virtual Private Networks when remote access to a device is required.

ABB customers are advised to contact their local ABB Robotics branch to find out more on what they must do to ensure that their infrastructures are protected. Further clarifications can be requested by emailing

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.