ABB B&R PCs Vulnerable to Multiple Attacks via EDK2 Network Package

ABB has identified multiple vulnerabilities within the EDK2 Network Package used in several B&R PC product lines, affecting versions prior to the listed fixes. These vulnerabilities, discovered in 2023, stem from improper handling of network messages, specifically within the Preboot eXecution Environment (PXE) of the UEFI firmware. Successful exploitation could allow a network attacker to perform a variety of malicious actions including remote code execution, denial-of-service attacks, DNS cache poisoning, and sensitive information disclosure. The affected product lines include APC4100, APC910, C80, MPC3100, PPC1200, PPC900, APC2200, PPC2200, APC3100, and PPC3100. It is critical to apply the provided updates or mitigations to prevent potential exploitation. These vulnerabilities impact organizations that use these PCs in their industrial control systems.

Attack Chain

1. The attacker identifies a vulnerable ABB B&R PC on the network running an affected firmware version.
2. The attacker crafts a malicious DHCPv6 Advertise message with a malformed IA_NA or IA_TA option (CVE-2023-45229).
3. The attacker sends the crafted DHCPv6 message to the target PC.
4. The vulnerable EDK2 Network Package processes the malicious option, resulting in an out-of-bounds read.
5. The attacker exploits the out-of-bounds read to leak sensitive information from the device’s memory.
6. Alternatively, the attacker crafts a malicious DHCPv6 client message with a long server ID option (CVE-2023-45230).
7. The vulnerable EDK2 Network Package processes the oversized server ID, leading to a buffer overflow.
8. The attacker leverages the buffer overflow to achieve remote code execution on the target system, potentially leading to complete system compromise.

Impact

Successful exploitation of these vulnerabilities could have significant consequences. An attacker could gain unauthorized access to the targeted industrial control systems, leading to disruption of operations, data theft, or the execution of malicious code. The vulnerabilities could also be leveraged to perform denial-of-service attacks, rendering the affected systems unavailable. Given that the affected PCs are used within critical infrastructure sectors like energy, the impact could extend to broader societal consequences.

Recommendation

• Apply the vendor-provided fixes for each affected product line (APC4100, C80, MPC3100, PPC1200, PPC900, APC2200, PPC2200, APC3100, PPC3100) as detailed in the advisory.
• For APC910, where no patch is available, disable the vulnerable Preboot eXecution Environment (PXE) of the UEFI firmware as a mitigation.
• If PXE functionality is required, restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6, using a control network firewall.
• Monitor network traffic for malformed DHCPv6 Advertise messages or DHCPv6 client messages with excessively long server IDs to detect potential exploitation attempts.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts of CVE-2023-45229 and CVE-2023-45230.