7PAA013309
Vulnerability from csaf_abb - Published: 2024-06-05 00:30 - Updated: 2026-01-23 00:30Summary
System 800xA SECURITY Advisory - ABB 800xA Base 6.0.x, 6.1.x CSLib communication DoS vulnerability
Notes
Summary
ABB is aware of a vulnerability in the product versions listed as affected in the advisory.
An attacker who successfully exploited this vulnerability could cause services to crash and restart by sending specifically crafted messages.
The vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability
General security recommendations
Control systems and the control network are exposed to cyber threats. In order to minimize these risks, the protective measures and best practices listed below are available in addition to other measures. ABB strongly recommends system integrators and asset owners to implement the measures they consider appropriate for their control system environment:
- Place control systems in a dedicated control network containing control systems only.
- Locate control networks and systems behind firewalls and separate them from any other networks like business networks and the Internet.
- Block any inbound Internet traffic destined for the control networks/systems. Place remote access systems used for remote control system access outside the control network.
- Limit outbound Internet traffic originating from control systems/networks as much as possible. If control systems must talk to the Internet, tailor firewall rules to required resources - allow only source IPs, destination IPs and services/destination ports which control systems definitely need to use for normal control operation.
- If Internet access is required on occasion only, disable relevant firewall rules and enable them during the time window of required Internet access only. If supported by your firewall, define an expiry date and time for such rules – after the expiry date and time, the firewall will disable the rule automatically.
- Limit exposure of control networks/systems to internal systems. Tailor firewall rules allowing traffic
from internal systems to control networks/systems to allow only source IPs, destination IPs and services/destination ports which are definitely required for normal control operation.
- Create strict firewall rules to filter malicious network traffic targeting control system vulnerabilities ("exploit traffic"). Exploit traffic may use network communication features like source routing, IP fragmentation and/or IP tunneling. If such features are not required for normal control operation,
block them on your firewall.
- If supported by your firewall, apply additional filters to allowed traffic which provide protection for control networks/systems. Such filters are provided by advanced firewall features like Application Control and Anti-Virus.
- Use Intrusion Detection Systems (IDS) or Intrusion Preventions Systems (IPS) to detect/block control system-specific exploit traffic. Consider using IPS rules protecting against control system exploits.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Please ensure that VPN solutions are updated to the most current version available.
- In case you want to filter internal control network traffic, consider using solutions supporting Intra LAN traffic control like VLAN access control lists.
- Harden your control systems by enabling only the ports, services and software required for normal control operation. Disable all other ports and disable/uninstall all other services and software.
- If possible, limit the permissions of user accounts, software processes and devices to the permissions required for normal control operation.
- Use trusted, patched software and malware protection solutions. Interact with trusted web sites and trusted email attachments only.
- Ensure all nodes are always up to date in terms of installed software, operating system and firmware patches as well as anti-virus and firewall.
- Protect control systems from physical access by unauthorized personnel e.g. by placing them in locked switch cabinets.
More information on recommended practices can be found in the reference section (3BSE034463-611)
Support
For additional instructions and support please contact your local ABB service organization. For contact information, see https://new.abb.com/contact-centers.
Information about ABB’s cyber security program and capabilities can be found at https://global.abb/group/en/technology/cyber-security.
Notice
The information in this document is subject to change without notice, and should not be construed as a commitment by ABB.
ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages.
This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose.
All rights to registrations and trademarks reside with their respective owners.
Purpose
ABB has a rigorous internal cyber security continuous improvement process which involves regular testing with industry leading tools and periodic assessments to identify potential product issues. Occasionally an issue is determined to be a design or coding flaw with implications that may impact product cyber security.
When a potential product vulnerability is identified or reported, ABB immediately initiates our vulnerability handling process. This entails validating if the issue is in fact a product issue, identifying root causes, determining what related products may be impacted, developing a remediation, and notifying end users and governmental organizations (e.g. ICS-CERT).
The resulting Cyber Security Advisory intends to notify customers of the vulnerability and provide details on which products are impacted, how to mitigate the vulnerability or explain workarounds that minimize the potential risk as much as possible. The release of a Cyber Security Advisory should not be misconstrued as an affirmation or indication of an active threat or ongoing campaign targeting the products mentioned here. If ABB is aware of any specific threats, it will be clearly mentioned in the communication.
The publication of this Cyber Security Advisory is an example of ABB’s commitment to the user community in support of this critical topic. Responsible disclosure is an important element in the chain of trust we work to maintain with our many customers. The release of an Advisory provides timely information which is essential to help ensure our customers are fully informed.
Frequently Asked Questions
What is the scope of the vulnerability?
- An attacker who successfully exploited this vulnerability could, by using a malicious application that connects to a server application (applicable for all 800xA Base server applications), cause the server to crash by sending some specifically crafted message.
What causes the vulnerability?
- The vulnerability is caused by an unchecked buffer.
What is 800xA Base?
- 800xA Base is the core platform for System 800xA that consists of both core service applications for basic Workplace operations as well as a framework for other System 800xA products.
What is CSLib?
- CSLib is a TCP/IP based protocol that is commonly used by 800xA clients and services.
What might an attacker use the vulnerability to do?
- Denial of service. An attacker can create denial of services by continuously sending special crafted messages to the service in the system. The impacted service will be automatically restarted. For a redundant system using failover functionality there will be a failover to the redundant service, which may also be impacted by such an attack, stopping the affected service. The services will be attempted to be restarted by the System. However, if the attack is persistent, they will not be able to overcome this.
Note that repeated restarts of the affected service could be an indication of a compromise.
How could an attacker exploit the vulnerability?
- If the attacker has access to the Client/Server network and IPSec is not enabled the attacker can connect to the server applications using TCP/IP sockets and send specially crafted messages to exploit this.
The vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability.
Could the vulnerability be exploited remotely?
- If IPSec is not enabled there is a possibility to exploit remotely.
If IPSec is enabled the attacker would first need physical access to the system and plant a trojan or similar in a system node.
What does the update do?
- The unchecked buffer is now managed and checked in a secure way
When this security advisory was issued, had this vulnerability been publicly disclosed?
- No, ABB received information about this vulnerability through responsible disclosure.
When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited?
- No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued.
{
"document": {
"acknowledgments": [
{
"names": [
" Uri Sade",
"Roman Dvorkin",
"Roni Gavrilov",
"Eran Jacob"
],
"organization": "OTORIO org",
"summary": "responsibly disclosing the vulnerability and providing valuable input on product improvements."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "En",
"notes": [
{
"category": "summary",
"text": "ABB is aware of a vulnerability in the product versions listed as affected in the advisory.\n\nAn attacker who successfully exploited this vulnerability could cause services to crash and restart by sending specifically crafted messages. \n\nThe vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability",
"title": "Summary"
},
{
"category": "other",
"text": "Control systems and the control network are exposed to cyber threats. In order to minimize these risks, the protective measures and best practices listed below are available in addition to other measures. ABB strongly recommends system integrators and asset owners to implement the measures they consider appropriate for their control system environment:\n\n- Place control systems in a dedicated control network containing control systems only.\n- Locate control networks and systems behind firewalls and separate them from any other networks like business networks and the Internet.\n- Block any inbound Internet traffic destined for the control networks/systems. Place remote access systems used for remote control system access outside the control network.\n- Limit outbound Internet traffic originating from control systems/networks as much as possible. If control systems must talk to the Internet, tailor firewall rules to required resources - allow only source IPs, destination IPs and services/destination ports which control systems definitely need to use for normal control operation.\n- If Internet access is required on occasion only, disable relevant firewall rules and enable them during the time window of required Internet access only. If supported by your firewall, define an expiry date and time for such rules \u2013 after the expiry date and time, the firewall will disable the rule automatically.\n- Limit exposure of control networks/systems to internal systems. Tailor firewall rules allowing traffic\nfrom internal systems to control networks/systems to allow only source IPs, destination IPs and services/destination ports which are definitely required for normal control operation.\n- Create strict firewall rules to filter malicious network traffic targeting control system vulnerabilities (\"exploit traffic\"). Exploit traffic may use network communication features like source routing, IP fragmentation and/or IP tunneling. If such features are not required for normal control operation,\nblock them on your firewall.\n- If supported by your firewall, apply additional filters to allowed traffic which provide protection for control networks/systems. Such filters are provided by advanced firewall features like Application Control and Anti-Virus.\n- Use Intrusion Detection Systems (IDS) or Intrusion Preventions Systems (IPS) to detect/block control system-specific exploit traffic. Consider using IPS rules protecting against control system exploits.\n- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Please ensure that VPN solutions are updated to the most current version available.\n- In case you want to filter internal control network traffic, consider using solutions supporting Intra LAN traffic control like VLAN access control lists.\n- Harden your control systems by enabling only the ports, services and software required for normal control operation. Disable all other ports and disable/uninstall all other services and software.\n- If possible, limit the permissions of user accounts, software processes and devices to the permissions required for normal control operation.\n- Use trusted, patched software and malware protection solutions. Interact with trusted web sites and trusted email attachments only.\n- Ensure all nodes are always up to date in terms of installed software, operating system and firmware patches as well as anti-virus and firewall.\n- Protect control systems from physical access by unauthorized personnel e.g. by placing them in locked switch cabinets.\n\nMore information on recommended practices can be found in the reference section (3BSE034463-611)\n",
"title": "General security recommendations"
},
{
"category": "other",
"text": "For additional instructions and support please contact your local ABB service organization. For contact information, see https://new.abb.com/contact-centers.\n\nInformation about ABB\u2019s cyber security program and capabilities can be found at https://global.abb/group/en/technology/cyber-security.",
"title": "Support"
},
{
"category": "legal_disclaimer",
"text": "The information in this document is subject to change without notice, and should not be construed as a commitment by ABB.\n\nABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages.\n\nThis document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose.\n\nAll rights to registrations and trademarks reside with their respective owners.",
"title": "Notice"
},
{
"category": "other",
"text": "ABB has a rigorous internal cyber security continuous improvement process which involves regular testing with industry leading tools and periodic assessments to identify potential product issues. Occasionally an issue is determined to be a design or coding flaw with implications that may impact product cyber security.\n\nWhen a potential product vulnerability is identified or reported, ABB immediately initiates our vulnerability handling process. This entails validating if the issue is in fact a product issue, identifying root causes, determining what related products may be impacted, developing a remediation, and notifying end users and governmental organizations (e.g. ICS-CERT).\n\nThe resulting Cyber Security Advisory intends to notify customers of the vulnerability and provide details on which products are impacted, how to mitigate the vulnerability or explain workarounds that minimize the potential risk as much as possible. The release of a Cyber Security Advisory should not be misconstrued as an affirmation or indication of an active threat or ongoing campaign targeting the products mentioned here. If ABB is aware of any specific threats, it will be clearly mentioned in the communication.\n\nThe publication of this Cyber Security Advisory is an example of ABB\u2019s commitment to the user community in support of this critical topic. Responsible disclosure is an important element in the chain of trust we work to maintain with our many customers. The release of an Advisory provides timely information which is essential to help ensure our customers are fully informed.",
"title": "Purpose"
},
{
"category": "faq",
"text": "What is the scope of the vulnerability?\n- An attacker who successfully exploited this vulnerability could, by using a malicious application that connects to a server application (applicable for all 800xA Base server applications), cause the server to crash by sending some specifically crafted message. \n\nWhat causes the vulnerability?\n- The vulnerability is caused by an unchecked buffer.\n\nWhat is 800xA Base?\n- 800xA Base is the core platform for System 800xA that consists of both core service applications for basic Workplace operations as well as a framework for other System 800xA products.\n\nWhat is CSLib?\n- CSLib is a TCP/IP based protocol that is commonly used by 800xA clients and services.\n\nWhat might an attacker use the vulnerability to do?\n- Denial of service. An attacker can create denial of services by continuously sending special crafted messages to the service in the system. The impacted service will be automatically restarted. For a redundant system using failover functionality there will be a failover to the redundant service, which may also be impacted by such an attack, stopping the affected service. The services will be attempted to be restarted by the System. However, if the attack is persistent, they will not be able to overcome this. \n\nNote that repeated restarts of the affected service could be an indication of a compromise.\n\nHow could an attacker exploit the vulnerability?\n- If the attacker has access to the Client/Server network and IPSec is not enabled the attacker can connect to the server applications using TCP/IP sockets and send specially crafted messages to exploit this.\n\nThe vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability.\n\nCould the vulnerability be exploited remotely? \n- If IPSec is not enabled there is a possibility to exploit remotely. \n\nIf IPSec is enabled the attacker would first need physical access to the system and plant a trojan or similar in a system node.\n\nWhat does the update do?\n- The unchecked buffer is now managed and checked in a secure way\n\nWhen this security advisory was issued, had this vulnerability been publicly disclosed?\n- No, ABB received information about this vulnerability through responsible disclosure.\n\nWhen this security advisory was issued, had ABB received any reports that this vulnerability was being exploited?\n- No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued.\n",
"title": "Frequently Asked Questions"
}
],
"publisher": {
"category": "vendor",
"name": "ABB PSIRT",
"namespace": "https://www.abb.com/global/en/company/about/cybersecurity/alerts-and-notifications"
},
"references": [
{
"summary": "Refer below document for information about how to setup IPSec configuration.\n- 2PAA111693-611 - System 800xA 6.1.1 Installation, Update and Upgrade - Post Installation ",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA111693-611\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"summary": "Refer below document for information about ABB 800xA Base 6.0.3-10.\n- 7PAA020635 800xA - Base 6.0.3-10, Release Notes ",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA020635\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"category": "self",
"summary": "ABB CYBERSECURITY ADVISORY - PDF version ",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA013309\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"category": "self",
"summary": "ABB CYBERSECURITY ADVISORY - CSAF version ",
"url": "https://psirt.abb.com/csaf/2026/7paa013309.json"
}
],
"title": "System 800xA SECURITY Advisory - ABB 800xA Base 6.0.x, 6.1.x CSLib communication DoS vulnerability",
"tracking": {
"current_release_date": "2026-01-23T00:30:00.000Z",
"generator": {
"date": "2026-01-23T12:48:51.003Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.42"
}
},
"id": "7PAA013309",
"initial_release_date": "2024-06-05T00:30:00.000Z",
"revision_history": [
{
"date": "2024-06-05T00:30:00.000Z",
"legacy_version": "A",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-06-14T00:30:00.000Z",
"legacy_version": "B",
"number": "2",
"summary": "Included CVSS v4.0 score"
},
{
"date": "2025-01-22T00:30:00.000Z",
"legacy_version": "C",
"number": "3",
"summary": "Updated the planned release date for ABB 800xA Base 6.0.3-x"
},
{
"date": "2025-02-07T00:30:00.000Z",
"legacy_version": "D",
"number": "4",
"summary": "Updated Affected Products and Recommended immediate actions"
},
{
"date": "2026-01-23T00:30:00.000Z",
"legacy_version": "E",
"number": "5",
"summary": "Updated Recommended immediate actions and References. Updated details about fix released in ABB 800xA Base 6.0.3-10"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=6.1.1-2 ",
"product": {
"name": "ABB 800xA Base \u003c=6.1.1-2 ",
"product_id": "AV1"
}
},
{
"category": "product_version",
"name": "6.1.1-3 ",
"product": {
"name": "ABB 800xA Base 6.1.1-3 ",
"product_id": "FX1"
}
},
{
"category": "product_version",
"name": "6.2.0-0",
"product": {
"name": "ABB 800xA Base 6.2.0-0",
"product_id": "FX2"
}
},
{
"category": "product_version",
"name": "6.0.3-10",
"product": {
"name": "ABB 800xA Base 6.0.3-10",
"product_id": "FX3"
}
},
{
"category": "product_version_range",
"name": "\u003c=6.0.3-9",
"product": {
"name": "ABB 800xA Base \u003c=6.0.3-9",
"product_id": "AV2"
}
}
],
"category": "product_name",
"name": "800xA Base "
}
],
"category": "vendor",
"name": "ABB"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-3036",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "description",
"text": "An attacker who successfully exploited this vulnerability could cause services to crash by sending specifically crafted messages",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"FX1",
"FX2",
"FX3"
],
"known_affected": [
"AV1",
"AV2"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2024-3036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3036"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "The problem is corrected in the following product versions:\n- ABB 800xA Base 6.2.0-0 (part of System 800xA 6.2.0.0)\n- ABB 800xA Base 6.1.1-3 (part of System 800xA 6.1.1.2)\n- ABB 800xA Base 6.0.3-10 (RollUp released in September\u20192025. RollUp requires System 800xA 6.0.3.4 to be installed in the system. See References for more details.)\n\nIt is recommended to update to an active product version to obtain the latest corrections.\n",
"product_ids": [
"AV1",
"AV2"
]
},
{
"category": "mitigation",
"details": "Refer to section \u201cGeneral security recommendations\u201d for further advise on how to keep your system secure.",
"product_ids": [
"AV1",
"AV2"
]
},
{
"category": "workaround",
"details": "The system can be protected from network-based exploits of this vulnerability by enabling IPSec according to existing user documentation (See References).",
"product_ids": [
"AV1",
"AV2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.1,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"AV1",
"AV2"
]
}
],
"title": "CVE-2024-3036"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…