IS researchers found a critical bug in the relay protection systems manufactured by the Swedish-Swiss corporation ABB.As it turned out, Relion 670 Series Intelligent Electronic Devices (IEDs) are susceptible to a vulnerability that allows reading and deleting any files on the device.
The attack can be carried out remotely and does not require special skills.
“An unauthorized attacker can send a malicious request containing the path to a folder to the device and gain the ability to manipulate the files stored there. The special format of the incoming packet allows the attacker to bypass access restrictions and interact with objects outside the permitted directory”, – says Kaspersky Lab expert Kirill Nesterov.
The bug is present in the MMS server of the relay protection systems ABB Relion 670, and designed for operation in high and ultra-high voltage networks. The vulnerability affected a family of devices of the following firmware versions:
- 1p1r26 and earlier;
- 2.3.17 and earlier;
- 0.0.10 and earlier;
- RES670 188.8.131.52 and earlier;
- 1.0.1 and earlier.
The gap is registered as CVE-2019-18253 and is estimated by experts as 10 points on the CVSS scale. Exploitation of the vulnerability does not require interaction with the device operator – a cybercriminal only needs to have access to TCP port 102 to send data to it.
Read also: OnePlus reports user data leakage
The IEC 61850 series of standards (IEC-61850) intended for the exchange of data between devices in digital electronic substations. The protocol is widely used in relay protection systems of various manufacturers.
Therefore, in February of this year, Siemens patched three vulnerabilities in the SIPROTEC 5 relay, which were also operated through port 102. Bugs made it possible remotely and without authentication cause a malfunction of the attacked device.
The manufacturer released an update with patches for all versions of the system software containing the error. Owners of devices can get updates by writing ABB technical support. The vendor recommends installing the corrected firmware options as soon as possible or disabling the IEC 61850 protocol using port 102 on the device.