Cybersecurity researchers have disclosed particulars of a brand new vulnerability in a system used throughout oil and gasoline organizations that may very well be exploited by an attacker to inject and execute arbitrary code.
The vulnerability, tracked as CVE-2022-0902 (CVSS rating: 8.1), is a path-traversal vulnerability in ABB Totalflow circulation computer systems and distant controllers.
“Attackers can exploit this flaw to achieve root entry on an ABB circulation pc, learn and write recordsdata, and remotely execute code,” industrial safety firm Claroty stated in a report shared with The Hacker Information.
ABB, a Swedish-Swiss industrial automation agency, has since launched firmware updates as of July 14, 2022, following accountable disclosure.
Movement computer systems are special-purpose digital devices utilized by petrochemical producers to interpret information from circulation meters and calculate and document the quantity of drugs similar to pure gasoline, crude oils, and different hydrocarbon fluids at a selected cut-off date.
These gasoline measurements are important not solely in the case of course of security, however are additionally used as inputs when bulk liquid or gasoline merchandise change fingers between events, making it crucial that the circulation measurements are precisely captured.
In a nutshell, the vulnerability recognized by Claroty is a path traversal flaw that exists in ABB’s implementation of its proprietary Totalflow TCP protocol, which is utilized to remotely configure the computer systems.
The problem, particularly, issues a function that enables for importing and exporting the configuration recordsdata, enabling an attacker to make the most of an authentication bypass challenge to get previous the safety passcode barrier and add arbitrary recordsdata.
By making the most of the shortcoming, a distant malicious actor may seize management of the units and hamper their skill to correctly document oil and gasoline circulation charges.
“A profitable exploit of this challenge may impede an organization’s skill to invoice clients, forcing a disruption of companies, much like the penalties suffered by Colonial Pipeline following its 2021 ransomware assault,” Claroty researcher Vera Mens stated.