2 Advisories Published – 1-7-25
Today CISA’s NCCIC-ICS published two control system security advisories for products from Nedap and ABB. I also include a down-the-rabbit-hole look at the ABB vulnerabilities.
Nedap Advisory
This advisory describes a missing authentication for critical function vulnerability in the Nedap Librix Ecoreader. The vulnerability was reported to CISA by Prajitesh Singh of Cyble. NCCIC-ICS reports that: “Nedap Librix did not respond to our attempts to coordinate with them.”
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in remote code execution.
Commentary: It is sad to see a company in the security business (the Ecoreader is an RFID reader used in retail product security and building access systems) that does not have a specific cybersecurity contact listed on their website.
ABB Advisory
This advisory describes 26 vulnerabilities (all with publicly available exploits) in the ABB ASPECT-Enterprise, NEXUS, and MATRIX series products. The vulnerabilities were reported to CISA by Gjoko Krstikj of Zero Science Lab. ABB has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to enable an attacker to disrupt operations or execute remote code.
DTRH ABB Aspect Vulnerabilities
I have been reporting about these ABB advisories since September on my weekly Public ICS Disclosures blog posts. Almost all of the Zero Science advisories (typically an advisory covers a single vulnerability) were accompanied by the publication of exploits by LiquidWorm (nom-de-cyber of Krstikj) on PacketStorm.news (links to the exploits are included on the Zero Science advisories). Only some of the latest Zero Science advisories include reference to CVE numbers, so it will be tedious to link up the exploits with the vulnerabilities listed in this advisory.
There have been more vulnerabilities reported by Krstikj than those listed here, 74 by my latest count. That includes six that have been reported this week (see my weekend post). All were reported to ABB and only two of those (to date) have been disputed by the vendor:
[03.01.2025] ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution
[03.01.2025] ABB Cylon Aspect 4.00.00 (factorySaved.php) Unauthenticated XSS
These vulnerability reports by Zero Science demonstrate an almost fanatical determination to find every vulnerability in a single product. I am not sure whether the number of vulnerabilities discovered is more a positive reflection of Krstikj’s skills and dedication, or a negative reflection on the lack of secure coding practices by the vendor; probably a mixture of the two. To be fair, I would be surprised if any ICS product would stand up any better to this level of examination.