Information security specialists detected a critical bug in ABB relay protection systems

IS researchers found a critical bug in the relay protection systems manufactured by the Swedish-Swiss corporation ABB.

As it turned out, Relion 670 Series Intelligent Electronic Devices (IEDs) are susceptible to a vulnerability that allows reading and deleting any files on the device.

The attack can be carried out remotely and does not require special skills.

“An unauthorized attacker can send a malicious request containing the path to a folder to the device and gain the ability to manipulate the files stored there. The special format of the incoming packet allows the attacker to bypass access restrictions and interact with objects outside the permitted directory”, – says Kaspersky Lab expert Kirill Nesterov.

The bug is present in the MMS server of the relay protection systems ABB Relion 670, and designed for operation in high and ultra-high voltage networks. The vulnerability affected a family of devices of the following firmware versions:

Kirill Nesterov
Kirill Nesterov
  1. 1p1r26 and earlier;
  2. 2.3.17 and earlier;
  3. 0.0.10 and earlier;
  4. RES670 and earlier;
  5. 1.0.1 and earlier.

The gap is registered as CVE-2019-18253 and is estimated by experts as 10 points on the CVSS scale. Exploitation of the vulnerability does not require interaction with the device operator – a cybercriminal only needs to have access to TCP port 102 to send data to it.

Read also: OnePlus reports user data leakage

The IEC 61850 series of standards (IEC-61850) intended for the exchange of data between devices in digital electronic substations. The protocol is widely used in relay protection systems of various manufacturers.

Therefore, in February of this year, Siemens patched three vulnerabilities in the SIPROTEC 5 relay, which were also operated through port 102. Bugs made it possible remotely and without authentication cause a malfunction of the attacked device.


The manufacturer released an update with patches for all versions of the system software containing the error. Owners of devices can get updates by writing ABB technical support. The vendor recommends installing the corrected firmware options as soon as possible or disabling the IEC 61850 protocol using port 102 on the device.

The only known workaround for this vulnerability is to disable IEC 61850 protocol when it is not in use. If this is not possible, ABB recommends having a proper security architecture that divides the system in different security zones, and revising the firewall configurations to limit the usage of MMS protocol to the relevant upper networks.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button