ABB Symphony Plus Engineering: Fix PostgreSQL RCE Vulnerabilities

Overview of ABB Symphony Plus Engineering Security Gaps

ABB has identified multiple security vulnerabilities within the ABB Ability Symphony Plus Engineering software suite. These flaws do not reside within the core ABB proprietary code but are instead inherited from the bundled PostgreSQL database management system. According to CISA Advisory ICSA-26-120-06, versions of the engineering platform utilizing PostgreSQL 13.11 or earlier are susceptible to several high-severity exploits.

If a threat actor gains access to the site’s S+ Client/Server network, they can leverage these vulnerabilities to achieve RCE, potentially compromising the entire Industrial Control System (ICS). The impact is significant for organizations in the Chemical, Energy, and Water sectors where Symphony Plus is widely deployed for process automation. This disclosure emphasizes the risk of third-party software components in the Supply Chain Attack surface of critical infrastructure.

Technical Analysis of PostgreSQL Vulnerabilities

The primary concern involves four distinct CVE identifiers that allow for unauthorized code execution or Privilege Escalation.

Critical Logic Flaws

CVE-2023-5869 represents a classic integer overflow vulnerability. An authenticated user can provide crafted data that bypasses overflow checks, triggering memory corruption that facilitates code execution. While this requires initial authentication, it lowers the bar for an internal threat or a lateral moving attacker to gain deeper system control.

CVE-2024-7348 is a Time-of-check Time-of-use (TOCTOU) race condition. This flaw exists in a PostgreSQL utility that often operates with elevated privileges. By timing specific SQL commands, an attacker can substitute intended operations with malicious SQL functions. Security researchers investigating how to detect CVE-2024-7348 exploit attempts should monitor for unusual activity surrounding high-privilege maintenance utilities and unexpected SQL function execution patterns.

SQL Injection and Privilege Handling

CVE-2023-39417 involves improper neutralization of special elements within extension scripts. When an administrator installs specific extensions, the quoting constructs can be manipulated to perform SQL injection. Additionally, CVE-2024-0985 utilizes untrusted materialized views to lure high-privileged users into inadvertently executing code when they refresh the view. Both vulnerabilities have a high CVSS score because they directly lead to a total loss of confidentiality and integrity if successful.

Symphony Plus Engineering 2.4 RCE Mitigation

The most effective remediation is the implementation of the ABB Ability Symphony Plus Engineering PostgreSQL update. ABB recommends that users of S+ Engineering versions 2.2 through 2.4 SP2 upgrade to version 2.4 SP2 RU1 or later. This update replaces the vulnerable database engine with a secured version of PostgreSQL.

For environments where immediate patching is not feasible, defenders must implement rigid network segmentation. Since the exploit requires access to the S+ client/server network, isolating this segment from the broader corporate network and the internet is vital. Organizations should adopt Zero Trust principles, ensuring that all access to the engineering workstation is authenticated and monitored via a SIEM.

Defensive Recommendations and Best Practices

Defenders should align their strategy with the MITRE ATT&CK framework for ICS, focusing on preventing initial access and Lateral Movement.

• Network Isolation: Ensure control system networks are physically protected and located behind firewalls. Minimize the number of open ports on the S+ client/server network.
• Remote Access Security: If remote access is necessary, utilize VPNs with multi-factor authentication. Always treat the VPN as a potential entry point and maintain it at the latest patch level.
• Monitoring and Detection: Configure your EDR and SOC to flag unauthorized attempts to interact with the PostgreSQL service on engineering workstations. Check for the creation of unauthorized materialized views or anomalous SQL errors that could serve as an IoC of an ongoing exploit attempt.