It took Swiss-based industrial technology solutions provider ABB five years to inform customers of a critical vulnerability affecting one of its products, and the researcher who found it says this increased the chances of threat actors discovering and exploiting the security flaw.
The United States Department of Homeland Security, through its Cybersecurity and Infrastructure Security Agency (CISA), this week disclosed the existence of an authentication bypass vulnerability affecting ABB’s Power Generation Information Manager (PGIM) plant historian and data analysis tool, and its predecessor, Plant Connect. The affected products, according to CISA, are used worldwide in a wide range of sectors, including dams, critical manufacturing, energy, water and wastewater, food and agriculture, and chemical.
The flaw, tracked as CVE-2019-18250, is considered critical with a CVSS score of 9.8. It allows an attacker to obtain PGIM credentials and possibly even Windows credentials, enabling them to cause the loss of historical data and events, and possibly gain the privileges required to write data to the control platform.
The ABB Plant Connect product is obsolete and the company plans on transitioning PGIM to limited support in January 2020. ABB’s newest historian product, Symphony Plus Historian, is not impacted and the vendor has advised customers to update to this product or implement workarounds and mitigations that should prevent attacks.
ABB’s handling of CVE-2019-18250
The vulnerability was identified and reported to ABB by Rikard Bodforss of Bodforss Consulting, a Sweden-based consulting company that specializes in IT and OT cybersecurity.
Bodforss told SecurityWeek that he reported his findings to ABB in 2014, shortly after discovering the vulnerability, but the vendor allegedly downplayed the issue at the time. Nevertheless, the ve ..
Support the originator by clicking the read the rest link below.
