‘High-severity’ vulnerability found in computers used by large oil and gas utilities
The makers of a popular computer system used widely by large oil and gas utilities worldwide have patched a vulnerability discovered by security company Claroty.
The ‘high-severity’ vulnerability affects ABB’s flow computers — devices that calculate oil and gas volume and flow rates. ABB is a 130-year-old Swedish-Swiss electrical equipment giant.
Claroty explained that flow computers are critical to the safety of facilities but are also important for billing services.
The vulnerability they found – CVE-2022-0902 – carries a CVSS v3 score of 8.1 out of 10 and was recently addressed in a firmware update from ABB.
An ABB spokesperson said the company is “aware of private reports of a vulnerability in the flow computer and remote controller product versions listed in our advisory from July 14th, 2022.”
“An update is available that resolves the vulnerability in the product versions listed in the advisory. Mitigation can be accomplished by proper network segmentation.”
Claroty explained that the vulnerability would enable an attacker to take over flow computers and remotely disrupt the flow computers’ ability to accurately measure oil and gas flow.
The vulnerability affects ABB’s RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5, and UDC products.
Claroty said its research arm, Team82, focused on ABB flow computers because of their use within many large oil and gas operations worldwide.
“We looked for vulnerabilities that could give an attacker the ability to influence measurements by remotely running code of their choice on the device,” the researchers said, finding a “high-severity path-traversal vulnerability” in the flow computers and remote controllers.
“Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code,” they said.
Claroty noted that flow meters read raw data from attached sensors that measure the volume of a substance in a number of ways, depending on if a gas or a liquid is being measured. The vulnerability could impede a company’s ability to bill customers – an issue that came to light during the headline-grabbing ransomware attack on Colonial Pipeline last year.
“Disrupting the operation of flow computers is a subtle attack vector that could similarly impact not only IT, but also OT systems; this led us to research the security of these machines,” Claroty said.