ICSA： ICS Advisory (ICSA-20-072-01)
1. EXECUTIVE SUMMARY
- CVSS v3 7.6
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: ABB
- Equipment: eSOMS
- Vulnerabilities: Use of Web Browser Cache Containing Sensitive Information, Improper Restriction of Rendered UI Layers or Frames, Improper Neutralization of HTTP Headers for Scripting Syntax, Sensitive Cookie Without ‘HttpOnly’ Flag, Protection Mechanism Failure, Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute, Exposure of Sensitive Information to an Unauthorized Actor, External Control of Critical State Data, Weak Password Requirements, SQL Injection, Cross-site Scripting, Cleartext Storage of Sensitive Information, Inadequate Encryption Strength
2. RISK EVALUATION
In the most severe case, an attacker who successfully exploited these vulnerabilities could take over a user’s browser session, discover session-based information, or affect the confidentiality of sensitive information within the application.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of eSOMS are affected:
- eSOMS 6.02 and prior
3.2 VULNERABILITY OVERVIEW
For ABB eSOMS Versions 6.0.2 and earlier, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browsers not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.
For ABB eSOMS Versions 6.0.2 and earlier, the X-Frame-Options header is not configured in HTTP response. This can potentially allow 'ClickJacking' attacks where an attacker can frame parts of the application on a malicious website, revealing sensitive user information such as authentication credentials.
For ABB eSOMS Versions 6.0.2 and earlier, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.
For ABB eSOMS Versions 6.0.2 and earlier, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping.
For ABB eSOMS Versions 6.0.3 and earlier, HTTPS responses contain comments with sensitive information about the application. An attacker might use this detail information to specifically craft the attack.
ABB eSOMS Versions 6.0.3 and earlier use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed.
eSOMS versions before 6.0.3 do not enforce password complexity settings, potentially resulting in lower access security due to insecure user passwords.
Lack of input checks for SQL queries in ABB eSOMS Versions 6.0.3 and earlier might allow an attacker SQL injection attacks against the backend database.
Lack of adequate input/output validation for ABB eSOMS Versions 6.0.2 and earlier might allow an attacker to attack with stored cross-site scripting by storing malicious content in the database.
The Redis data structure component used in ABB eSOMS Versions 6.0.2 and earlier is storing credentials in clear text. If an attacker has file system access, this can potentially compromise the credential’s confidentiality.
ABB eSOMS Versions 6.0.3 and earlier accept connections using medium strength ciphers. If a connection is enabled using such a cipher, an attacker might be able to eavesdrop and/or intercept the connection.
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
ABB reported these vulnerabilities to CISA.
ABB recommends users update their version of eSOMS to 6.0.3 or 6.1.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open unsolicited attachments in email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploits specifically target these vulnerabilities.