ABB PCU400 Remote Buffer Overflow
From SCADApedia
Unpatched versions of the PCU400 system are vulnerable to a buffer overflow attack that can lead to arbitrary code execution.
Contents |
Vulnerability
A buffer overflow, discovered by C4 Security, exists that can lead to the execution of arbitrary code in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols. The overflow is in an auxiliary service used for diagnostics. The FEP software runs on the Windows XP Professional SP2 operating system. There are many well known attack techniques and tools to leverage vulnerabilities on Windows systems.
Affected Systems
- PCU400 4.4
- PCU400 4.5
- PCU400 4.6
Other versions may be vulnerable, as they were not tested.
Impact
The PCU400 is used as a Front End Processor (FEP) for the ABB SCADA system. The FEP is essential for communicating with PLC, RTU and other field devices in a SCADA system.
If an attacker were able to gain access to one of these system, he would be able to crash and possibly remotely control the FEP. This would affect the availability and integrity of monitoring information from the field devices and the ability to control the process.
Detection
Vulnerability details are limited, and currently the only detection method available is to manually check the file version of the x87 executable, which should be 3.5.5 or higher. According to ABB the x87 executable is considered obsolete in newer versions of the PCU400 and should be replaced by the newer x88 or x89 executable where applicable.
Remediation
The vendor issued a hotfix to resolve this vulnerability.
Compensating Control
Use a firewall or other filtering to limit access to port 8087/tcp, denying access to the web interface from a remote location.
