ABB B&R Automation Studio <6.5: Multiple Critical SQLite Vulnerabilities

Overview of Critical Vulnerabilities in ABB B&R Automation Studio

ABB has identified and addressed a series of critical vulnerabilities stemming from an outdated third-party component, SQLite, embedded within its B&R Automation Studio software. These security flaws, primarily affecting versions prior to 6.5, pose significant risks including potential for unauthorized access, data exposure, or RCE. While no successful exploitation has been observed during vendor testing, the presence of multiple vulnerabilities with CVSS scores as high as 9.8 highlights the urgency for affected organizations to update.

This advisory, republished by CISA, is particularly relevant for critical infrastructure sectors, especially the Energy sector, where ABB B&R Automation Studio is deployed worldwide. Security professionals must prioritize remediation to safeguard operational technology (OT) environments.

Technical Analysis of Embedded SQLite Flaws

The core of the identified issues lies within various versions of the SQLite database component utilized by ABB B&R Automation Studio. A comprehensive review reveals a multitude of vulnerabilities, ranging from heap-based buffer overflows to integer overflows and improper input validations. These flaws create attack vectors that, if exploited, could severely compromise the integrity and availability of industrial control systems (ICS).

Among the most critical issues are:

• CVE-2025-6965: A numeric truncation error in SQLite that could lead to memory corruption, rated at CVSS 9.8 (Critical).
• CVE-2025-3277: An integer overflow within SQLite’s concat_ws() function, resulting in a substantial heap-based buffer overflow of approximately 4GB. This also carries a CVSS score of 9.8 (Critical).
• CVE-2019-19646: An improper check for unusual conditions in pragma.c that, in certain circumstances involving generated columns, can lead to critical compromise (CVSS 9.8).
• CVE-2019-8457: A heap out-of-bounds read in the rtreenode() function when processing invalid RTree tables. This vulnerability is rated 9.8 (Critical).
• CVE-2017-10989: A heap-based buffer over-read in getNodeSize function related to undersized RTree blobs, also with a critical CVSS score of 9.8.
• CVE-2015-5895: Multiple unspecified vulnerabilities in older SQLite versions that could lead to exposure of sensitive information to an unauthorized actor, rated 9.8 (Critical).

Other notable vulnerabilities include several heap-based buffer overflows (CVE-2023-7104, CVE-2020-15358), use-after-free conditions (CVE-2020-13630, CVE-2020-11656), and integer overflows (CVE-2018-20506, CVE-2018-20346, CVE-2015-3416), all of which present various levels of risk, including denial of service and potential Privilege Escalation.

These issues collectively highlight the risk associated with relying on outdated software components, especially in critical ICS environments. Attackers could potentially chain these vulnerabilities to achieve sophisticated attacks targeting operational stability and data confidentiality. Effectively addressing SQLite heap-based buffer overflow mitigation and other memory corruption issues is paramount for system owners.

Actionable Recommendations and Mitigations

Defenders must act promptly to address these vulnerabilities in ABB B&R Automation Studio deployments. Prioritizing updates and implementing robust security practices for ICS and OT environments is essential.

Addressing ABB B&R Automation Studio <6.5 Security Update

• Immediate Update: The primary recommendation is to update ABB B&R Automation Studio to version 6.5. This version incorporates the necessary fixes to replace the outdated and vulnerable third-party SQLite component. B&R recommends applying this update at the earliest convenience. Consult the user manual for instructions on identifying the installed product version and installing updates.

General Security Recommendations for ICS Environments

In addition to applying the vendor fix, CISA recommends implementing the following defensive measures to minimize exploitation risk and strengthen the security posture of ICS assets:

• Network Segmentation: Minimize network exposure for all control system devices and systems. Ensure that these critical assets are isolated from business networks and not directly accessible from the internet. Employ network segmentation and firewalls to create clear security boundaries.
• Secure Remote Access: When remote access is indispensable, utilize secure methods such as Virtual Private Networks (VPNs). Regularly update VPNs to the most recent versions, acknowledging that a VPN’s security is contingent on the security of its connected devices.
• Principle of Least Privilege: Implement the principle of least privilege for all user accounts and services. Restrict permissions to only what is necessary for operations.
• Defense-in-Depth Strategies: Implement a comprehensive defense-in-depth approach. This includes a layered security architecture that combines administrative, technical, and physical controls to protect ICS assets. This contributes significantly to defending ICS against remote code execution attempts.
• Risk Assessment and Impact Analysis: Before deploying any defensive measures, conduct a thorough impact analysis and risk assessment to understand potential operational consequences.
• Monitor and Report: Actively monitor ICS networks for suspected malicious activity. Establish internal procedures for incident response and report findings to CISA for broader tracking and correlation against other incidents. Adopting a Zero Trust architecture can further enhance detection and response capabilities.