Threat Signal Report

Path Traversal Vulnerability (CVE-2022-0902) in ABB Flow Computer and Remote Controllers

description-logo Description

UPDATE 2022/11/16: Updated the Appendix for a link to Outbreak Alert.


FortiGuard Labs is aware a path-traversal vulnerability (CVE-2022-0902) that affects ABB Totalflow flow computers and remote controllers widely used by oil and gas utility companies. Successfully exploiting the vulnerability allows an attacker to inject and execute arbitrary code. The vulnerability is a path-traversal vulnerability in ABB Totalflow flow computers and remote controllers.


Why is this Significant?

This is significant because the new vulnerability (CVE-2022-0902) affects ABB TotalFlow flow computers and remote controllers widely used by oil and gas utility companies. ABB TotalFlow is used to calculate oil and gas volume and flow rates and is also used for billing and other purposes.

By successfully exploiting the vulnerability, an attacker may be able to hinder affected oil and gas companies' abilities to correctly measure oil and gas flow, which may lead to safety issues and interruption of business.


What is CVE-2022-0902?

CVE-2022-0902 is a path-traversal vulnerability (CVE-2022-0902) in ABB TotalFlow flow computers and remote controllers. The vulnerability allows an attacker to gain access to restricted directories in ABB flow computers leading to arbitrary code execution in an affected system node.


CVE-2022-0902 has a CVSS score of 8.1.


What Products are Affected by the Vulnerability?

According to the advisory issued by ABB, the following products are affected by the vulnerability:

RMC-100

RMC100L ITE

XIO

XFCG5

XRCG5

uFLOG5

UDC


All versions of the products without the latest update are vulnerable to CVE-2022-0902.


Is CVE-2022-0902 being Exploited in the Wild?

FortiGuard Labs is not aware that CVE-2022-0902 is exploited in the wild.


Has the Vendor Released an Advisory?

Yes. Please see the Appendix for a link to "ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access CVE ID: CVE-2022-0902".


Has the Vendor Released a Patch?

Yes, the vendor released a firmware update.


What is the Status of Protection?

FortiGuard Labs is currently investigating protection for CVE-2022-0902. We will update this Threat Signal when protection becomes available.


Any Suggested Mitigation?

The advisory issued by ABB includes mitigation and workarounds information. See the Appendix for a link to "ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access CVE ID: CVE-2022-0902".


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.