CVE-2023-47359 & More: Critical Vulnerabilities in ABB Ability Camera Connect

Overview of ABB Ability Camera Connect Vulnerabilities

ABB has released an advisory regarding multiple critical and high-severity vulnerabilities impacting its Ability Camera Connect software, specifically versions 1.5.0.14 and below. These vulnerabilities stem from an outdated third-party component, VLC media player version 2.2.4, delivered within the Camera Connect installation package. An attacker successfully exploiting these issues could potentially compromise the system in various ways, ranging from denial of service (DDoS) to arbitrary code execution.

This advisory, republished by CISA, highlights a significant risk, especially for organizations operating within critical infrastructure sectors such as Chemical, Commercial Facilities, Communications, Critical Manufacturing, Energy, and Transportation Systems. While the affected systems are often deployed in isolated environments, understanding the nature of these vulnerabilities and the specific mitigation factors is paramount for effective defense.

Technical Analysis of ABB Ability Camera Connect <=1.5.0.14 Vulnerabilities

The identified vulnerabilities primarily relate to memory corruption issues within the bundled VLC media player component. Many of these flaws, categorized as CVEs, allow for potential remote code execution (RCE) or severe denial of service (DoS) conditions. Among the most critical identified are:

• CVE-2023-47359: A Heap-Based Buffer Overflow in VLC media player prior to version 3.0.20, specifically within the GetPacket() function. This vulnerability, with a CVSS v3.1 score of 9.8 (Critical), could lead to memory corruption and potentially RCE when processing a maliciously crafted MMS stream.
• CVE-2019-13962: Another critical (CVSS 9.8) heap-based buffer over-read in lavc_CopyPicture in VLC through 3.0.7. This flaw arises from improper validation of width and height, enabling an attacker to trigger memory issues via a crafted MKV file.
• CVE-2017-10699: Rated Critical (CVSS 9.8), this out-of-bounds heap memory write in avcodec (VLC 2.2.x) can be triggered by calling memcpy() with an incorrect size, potentially resulting in an application crash or code execution.

Additional high-severity vulnerabilities include:

• CVE-2024-46461: An integer overflow in VLC 3.0.20 and earlier leading to denial of service, also through a crafted MMS stream.
• CVE-2023-46814: A binary hijacking vulnerability in VLC before 3.0.19 on Windows, allowing for Privilege Escalation by executing code with elevated privileges from a user-writable location during uninstallation.
• CVE-2022-41325: An integer overflow in VLC’s VNC module (through 3.0.17.4) that can crash VLC or execute code if a user opens a crafted playlist or connects to a rogue VNC server.
• Numerous other vulnerabilities involve integer underflows, out-of-bounds reads/writes, double frees, and use-after-free conditions across various media parsing components (e.g., MP4, FLAC, subtitles).

Impact and Mitigating Factors

While the severity scores for these vulnerabilities are high to critical, their practical exploitability in many deployments of ABB Ability Camera Connect is significantly reduced. This is primarily because the software is often deployed in air-gapped or isolated operational technology (OT) environments. These environments typically lack direct internet connectivity, restrict network ingress, and limit external media inputs.

For example, the vulnerabilities requiring crafted MMS, MKV, or MP4 files depend on an attacker being able to introduce such malicious content. In isolated setups with strict access controls and media handling policies, the attack surface for these TTPs is inherently smaller. Similarly, the binary hijacking vulnerability (CVE-2023-46814) is mitigated if only trusted, privileged users perform installations and modifications, preventing unprivileged users from injecting malicious files.

However, these mitigating factors do not eliminate the risk entirely. A threat actor with internal access, or one who has achieved initial compromise through other means, could potentially leverage these vulnerabilities for Lateral Movement, privilege escalation, or to disrupt operations. The potential for a targeted attack remains, underscoring the need for diligence even in seemingly secure environments.

Actionable Recommendations and How to Update ABB Ability Camera Connect for ICS Security

To address the vulnerabilities in ABB Ability Camera Connect, organizations must prioritize patching and robust security practices, regardless of their current operational environment. Prompt action is necessary to maintain the integrity and availability of these critical systems.

Patching and Updates

• Immediate Update: The most direct and effective remediation is to update ABB Ability Camera Connect to version 1.5.0.15. This version contains an updated third-party VLC media player component, resolving all reported vulnerabilities. ABB recommends applying this update at the earliest convenience.
• VLC Media Player Component Update: If a full Camera Connect update is not immediately feasible, consider updating the VLC Media Player component independently, if technically supported and sanctioned by ABB.

Network and System Hardening

• Minimize Network Exposure: Ensure all control system devices and systems, including those running ABB Ability Camera Connect, are not accessible from the internet. This aligns with fundamental OT security principles.
• Network Segmentation: Isolate control system networks and remote devices behind firewalls, segmenting them from enterprise and business networks. This limits the blast radius of any potential compromise.
• Secure Remote Access: When remote access is indispensable, employ secure methods such as Virtual Private Networks (VPNs). Crucially, ensure VPN solutions are updated to their latest versions and are themselves not vulnerable. Understand that a VPN’s security is contingent on the security of its connected devices.
• Access Control: Implement stringent access controls, ensuring that only authorized, privileged users can perform installations, modifications, or introduce media files to the system.
• Media Handling Policies: Develop and enforce strict policies for the introduction of all external media (USB drives, network shares, etc.) into isolated environments. All media should be scanned and verified as safe before use.
• Situational Awareness: Continuously monitor for suspected malicious activity. Establish internal procedures for incident response and report findings to relevant authorities like CISA for broader threat intelligence correlation.

Implementing these recommendations helps mitigate the specific risks associated with these VLC vulnerabilities and contributes to an overall stronger Zero Trust posture within Industrial Control System environments. Before deploying any defensive measures, conduct a thorough impact analysis and risk assessment to ensure operational continuity.