Attack Chain

1. Attacker gains initial access to the target network, specifically the S+ Client Server network, possibly through existing vulnerabilities or misconfigurations.
2. Attacker authenticates to the PostgreSQL database server used by ABB Ability Symphony Plus Engineering.
3. Attacker exploits CVE-2023-5869 by providing crafted data to trigger an integer overflow, enabling arbitrary code execution.
4. Alternatively, the attacker exploits CVE-2023-39417 by injecting malicious SQL code through extension scripts, leading to arbitrary code execution with administrator privileges.
5. Alternatively, the attacker exploits CVE-2024-7348, leveraging a TOCTOU race condition to execute arbitrary SQL functions with elevated privileges using a PostgreSQL utility.
6. The attacker executes arbitrary code within the context of the compromised ABB Ability Symphony Plus Engineering application or the underlying PostgreSQL database.
7. The attacker leverages the compromised system to move laterally within the OT network, potentially targeting other critical systems or data repositories.
8. Attacker achieves complete compromise of the ABB Ability Symphony Plus Engineering system, allowing manipulation of industrial processes, data exfiltration, or denial of service.

Impact

Successful exploitation of these vulnerabilities in ABB Ability Symphony Plus Engineering can have severe consequences, particularly in critical infrastructure sectors. Affected sectors include chemical, critical manufacturing, energy, and water/wastewater facilities worldwide. A compromised system could allow attackers to manipulate industrial processes, leading to equipment damage, environmental incidents, or disruption of essential services like power generation or water treatment. The vulnerabilities could allow attackers to gain unauthorized access to sensitive data, intellectual property, or control systems, resulting in significant financial losses, reputational damage, and potential safety risks.

Recommendation

• Immediately upgrade ABB Ability Symphony Plus Engineering to version 2.4 SP2 RU1 (re-leased in December 2024) or later, as recommended by ABB, to address the identified vulnerabilities (Vendor fix).
• Review and enforce network segmentation and firewall configurations to restrict access to the S+ client/server network, mitigating the risk of external attackers exploiting these vulnerabilities (Mitigation).
• Monitor network traffic for suspicious activity indicative of PostgreSQL exploitation attempts. Deploy the Sigma rule Detect Suspicious PostgreSQL Utility Execution to identify potential exploitation of CVE-2024-7348.
• Enable logging of PostgreSQL queries and analyze logs for SQL injection attempts, specifically looking for suspicious use of extension scripts. Deploy the Sigma rule Detect SQL Injection in PostgreSQL Logs to identify potential exploitation of CVE-2023-39417.