A bug in ABB Totalflow flow computers exposed oil and gas companies to attack

A flaw in the ABB Totalflow system used in oil and gas organizations could be exploited by an attacker to inject and execute arbitrary code.

Researchers from industrial security firm Claroty disclosed details of a vulnerability affecting ABB Totalflow flow computers and remote controllers. Flow computers are used to calculate volume and flow rates for oil and gas that are critical to electric power manufacturing and distribution.

The critical systems are widely used by oil and gas organizations worldwide. The vulnerability, CVE-2022-0902 (CVSS score: 8.1), is a path-traversal issue that can be exploited by an attacker to inject and execute arbitrary code.

According to Claroty experts, the vulnerability resides in the implementation of the Totalflow TCP protocol in ABB G5 products.

“Team82 found a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB’s TotalFlow Flow Computers and Remote Controllers. Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code.” reads an advisory published by Claroty.

The industrial automation giant ABB addressed the flaw with the release of firmware updates on July 14, 2022.

The researchers initially discovered an authentication bypass issue, then explored the systems looking at functionalities available to authenticated users such as uploading and downloading configuration files.

Then the experts discovered a path traversal vulnerability by requesting the /etc/shadow file.

Once obtained arbitrary read and write capabilities, the experts easily achieve arbitrary code execution. 

“We chose the simplest approach, reading /etc/shadow and using hashcat cracking the root account password (which turned out to be root:root). Then we changed the SSH configuration file to enable root to connect using password. Then all that was left to do was to turn on the SSH daemon (using the TotalFlow protocol) and to connect to it.” concludes the advisory.

“A successful exploit of this issue could impede a company’s ability to bill customers, forcing a disruption of services, similar to the consequences suffered by Colonial Pipeline following its 2021 ransomware attack.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ABB Totalflow)

[adrotate banner=”5″]

[adrotate banner=”13″]