Claroty discovers path-traversal vulnerability in ABB flow computers

Claroty’s Team82 cybersecurity research team has found a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB’s TotalFlow Flow Computers and Remote Controllers. Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code.

Team82 focused on ABB flow computers because of their use within many large oil and gas utilities worldwide. It looked for vulnerabilities that could give an attacker the ability to influence measurements by remotely running code of their choice on the device.

ABB has made a firmware update available that resolves the vulnerability in a number of product versions; it also recommends network segmentation as a mitigation. More information, including affected product versions, is found in ABB’s advisory.

Flow computers are used to calculate volume and flow rates for oil and gas that are critical to electric power manufacturing and distribution. These machines take liquid or gas measurements that are not only vital to process safety, but are also used as inputs by other processes — alarms, logs, configurations — and therefore require accuracy to ensure reliability.

They are also used for billing. The most noteworthy and related security incident was the ransomware attack against Colonial Pipeline, which impacted enterprise systems and forced the company to shut down production because it could not bill customers. Disrupting the operation of flow computers is a subtle attack vector that could similarly impact not only IT, but also OT systems; this led the team to research the security of these machines.

The target of Team82’s research was ABB’s µFLO G5 flow computer. This device can receive raw sensor data from other flow meters, perform flow and show/propagate the output.

From a security perspective, the µFLO G5 features three main mechanisms:

• Security switch: A physical switch attached to the board that will enable/disable the use of the security passcode.
• Security passcode: Two four-digit passcodes; one for reading data and another authorising writing of data.
• RBAC: Role-based access control which assigns roles and permission to read and write specific attributes; this option is implemented only on the client side.
   

Configuration of ABB flow computers is done via a proprietary protocol designed by ABB called TotalFlow. This protocol can be used on top of a serial or Ethernet (TCP) connection. Most of the communication between the client and the device — retrieval of the gas flow calculations, set and get device settings, import and export of the configuration files — is done over the TotalFlow protocol (TCP/9999).

Team82 set out to bypass authentication and achieve remote code execution in the flow computer, and succeeded, resulting in the discovery of the CWE-22 Path Traversal Vulnerability.

This path traversal vulnerability can enable an attacker to take over flow computers and remotely disrupt the flow computers’ ability to accurately measure oil and gas flow.

A successful exploit of this issue could impede a company’s ability to bill customers, forcing a disruption of services, similar to the consequences suffered by Colonial Pipeline following its 2021 ransomware attack.

Team82 disclosed this vulnerability to ABB, which issued an update that addresses the issue. ABB also advises network segmentation as a mitigation strategy; further information is available in ABB’s advisory.

Image: ABB