---
title: "Critical Vulnerabilities in ABB Symphony Plus Engineering Expose Industrial Systems"
short_title: "ABB Symphony Plus flaws risk industrial systems"
description: "ABB warns of high-severity vulnerabilities in Symphony Plus Engineering, enabling arbitrary code execution. Learn mitigation steps and patch recommendations."
author: "Vitus"
date: 2024-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [abb, postgresql, cve-2023-5869, cve-2023-39417, industrial-security]
score: 0.85
cve_ids: [CVE-2023-5869, CVE-2023-39417, CVE-2024-7348, CVE-2024-0985]
---
## TL;DR
ABB has disclosed four high-severity vulnerabilities in its Symphony Plus Engineering software, affecting versions 2.2 to 2.4 SP2. Exploiting these flaws could allow attackers to execute arbitrary code, compromise industrial systems, or cause denial-of-service conditions. ABB urges immediate patching to S+ Engineering 2.4 SP2 RU1 or later, alongside strict network security measures.
Main Content
### Introduction
Industrial control systems (ICS) are the backbone of critical infrastructure, and their security is paramount. ABB, a global leader in industrial automation, has issued an urgent advisory highlighting multiple high-severity vulnerabilities in its Symphony Plus Engineering software. These flaws, rooted in PostgreSQL version 13.11 and earlier, could enable attackers to execute arbitrary code, escalate privileges, or disrupt operations in chemical, energy, and manufacturing sectors worldwide.
This article delves into the technical details, impact, and mitigation strategies for these vulnerabilities, emphasizing the urgency of patching and securing industrial networks.
### Key Points
- Affected Products: ABB Ability Symphony Plus Engineering versions 2.2 to 2.4 SP2 are vulnerable.
- Critical CVEs: Four high-severity vulnerabilities, including CVE-2023-5869 (CVSS 8.8) and CVE-2023-39417 (CVSS 7.5), enable arbitrary code execution and SQL injection.
- Impact: Successful exploitation could lead to system compromise, data corruption, or denial-of-service (DoS) conditions.
- Mitigation: ABB recommends upgrading to S+ Engineering 2.4 SP2 RU1 or implementing network security best practices.
- Critical Sectors: Energy, chemical, critical manufacturing, and water/wastewater industries are at risk.
Technical Details
#### Vulnerability Breakdown
The vulnerabilities stem from flaws in PostgreSQL 13.11 and earlier, which is integrated into ABB’s Symphony Plus Engineering software. Below is a summary of the four critical CVEs:
| CVE ID | Type | CVSS Score | Severity | Description |
|------------------|-----------------------------------------------|----------------|--------------|-----------------------------------------------------------------------------------------------------|
| CVE-2023-5869 | Integer Overflow or Wraparound | 8.8 | High | Authenticated attackers can trigger an integer overflow, enabling arbitrary code execution. |
| CVE-2023-39417 | SQL Injection | 7.5 | High | Attackers with PostgreSQL privileges can execute arbitrary code via crafted extension scripts. |
| CVE-2024-7348 | Time-of-Check Time-of-Use (TOCTOU) Race Condition | 8.8 | High | Exploits a race condition in PostgreSQL utilities to execute arbitrary SQL functions. |
| CVE-2024-0985 | Privilege Dropping/Lowering Errors | 8.0 | High | Attackers can lure high-privilege users into executing arbitrary SQL functions via untrusted views. |
#### Attack Vector
To exploit these vulnerabilities, an attacker must first gain access to the S+ Client Server network. This can occur through:
- Remote access via misconfigured or compromised firewalls.
- Local access by compromising a machine within the network and pivoting to PostgreSQL.
Once inside, attackers can leverage the flaws to:
1. Execute arbitrary code with elevated privileges.
2. Inject malicious SQL commands to manipulate or exfiltrate data.
3. Exploit race conditions to bypass security controls.
4. Trick high-privilege users into executing malicious SQL functions.
#### Affected Systems
The following versions of ABB Ability Symphony Plus Engineering are affected:
- 2.2
- 2.3, 2.3_RU1, 2.3_RU2, 2.3_RU3
- 2.4, 2.4_SP1, 2.4_SP2
Critical Infrastructure Sectors:
- Chemical
- Critical Manufacturing
- Energy
- Water and Wastewater
Geographic Scope: Worldwide
### Impact Assessment
The vulnerabilities pose a significant risk to industrial environments, where system compromise can lead to:
- Operational disruption: Denial-of-service attacks could halt production lines or critical processes.
- Data breaches: SQL injection flaws may expose sensitive operational or configuration data.
- Safety risks: While functional safety systems are unaffected, compromised control systems could lead to hazardous conditions.
- Financial losses: Downtime, recovery costs, and regulatory fines could amount to millions.
Given the high CVSS scores (7.5–8.8) and the critical nature of affected industries, organizations must treat these vulnerabilities as a top priority.
Mitigation Steps
#### Vendor Fix
ABB has released S+ Engineering 2.4 SP2 RU1 to address these vulnerabilities. Immediate actions include:
1. Upgrade: Systems running versions 2.2 to 2.4 SP2 should be upgraded to 2.4 SP2 RU1 or later.
2. Patch Management: Apply the update at the earliest convenience to minimize exposure.
#### Mitigation Strategies
For organizations unable to patch immediately, ABB recommends:
- Network Segmentation: Isolate the S+ Client Server network from business networks and the internet.
- Firewall Configuration: Restrict access to the S+ network using perimeter firewalls with minimal exposed ports.
- Access Controls: Limit user privileges and monitor access to PostgreSQL databases.
- Monitoring: Deploy intrusion detection systems (IDS) to detect suspicious activity.
#### Workarounds
- No official workarounds are available. Organizations must rely on patching or mitigation strategies to reduce risk.
## Conclusion
The high-severity vulnerabilities in ABB’s Symphony Plus Engineering software underscore the growing threats to industrial control systems. With attackers increasingly targeting critical infrastructure, organizations must act swiftly to patch affected systems and implement robust security measures. Failure to do so could result in catastrophic operational disruptions, data breaches, or safety incidents.
ABB’s advisory serves as a critical reminder for industries to prioritize cybersecurity in their operational technology (OT) environments. By following the recommended mitigation steps and staying vigilant, organizations can reduce their risk and protect their infrastructure from exploitation.
## References
[^1]: ABB. "ICS Advisory (ICSA-26-120-06)". CISA. Retrieved 2024-01-24.
[^2]: CVE Details. "CVE-2023-5869". MITRE. Retrieved 2024-01-24.
[^3]: PostgreSQL. "PostgreSQL 13.11 Security Updates". Retrieved 2024-01-24.
[^4]: CISA. "Recommended Practices for Industrial Control Systems". Retrieved 2024-01-24.