Claroty's Team82 uncovers new ABB TotalFlow vulnerability
Claroty has uncovered a new vulnerability in ABB TotalFlow flow computers and controllers.
ABB TotalFlow is used within many large oil and gas utilities worldwide to calculate volume and flow rates for oil and gas, which are critical to electric power manufacturing and distribution. They are also used as inputs in other areas, including billing.
Claroty says the new vulnerability gives attackers the ability to gain root access on an ABB flow computer, allowing them to also read and write files and remotely execute code. They say an attacker could exploit a vulnerable system to inject and execute arbitrary code.
Analysis from Claroty's Team82 discovered a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB's TotalFlow Flow Computers and Remote Controllers, where attackers can exploit this flaw to gain root access.
Affected products include, ABB’s RMC-100 (Standard), the RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5 and UDC products.
ABB says that it has made a firmware update available that resolves the vulnerability in a number of product versions, and the company also recommends network segmentation as a mitigation tool. Users are also urged to immediately update their firmware to the latest version.
Team82 says the vulnerability's consequences will be similar to those suffered as a result of the Colonial Pipeline breach following its 2021 ransomware attack.
"Team82 focused on ABB flow computers because of their use within many large oil and gas utilities worldwide. We looked for vulnerabilities that could give an attacker the ability to influence measurements by remotely running code of their choice on the device," the reports says.
"As a result, Team82 found a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB's TotalFlow Flow Computers and Remote Controllers. Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code."
The team says that in relation to billing, the flaw could result in extreme consequences. It could also cause a possible shutdown, with both IT and OT systems being affected.
"One other important aspect to the role of flow computers within a utility is billing. The most noteworthy and related security incident was the ransomware attack against Colonial Pipeline, which impacted enterprise systems, and forced the company to shut down production because it could not bill customers," the reports says.
"Disrupting the operation of flow computers is a subtle attack vector that could similarly impact not only IT, but also OT systems; this led us to research the security of these machines."