EXPLOITED: ABB’s µFLO G5 Flow Computers
February 01, 2023
Story
In large critical systems, flow computers analyze readings from flow meters monitoring the rate, pressure, or temperature of liquids like oil and gas. While innocuous on their own, protecting these systems is a major concern for energy and utilities providers. Remember the Colonial Pipeline ransomware?
Claroty’s Team82 recently uncovered a path-traversal vulnerability (CVE-2022-0902) in µFLO G5 flow controllers used by oil and gas utilities worldwide. The researchers reverse-engineered the Linux single-board computers to exploit ABB’s proprietary TotalFlow protocol, which runs over Ethernet TCP or serial connections to communicate device settings, import/export configuration files, and send/retrieve flow commands and calculations from client devices.
Once commandeered, the white hat hackers were able to remotely access, configure, and execute code on the device, and disrupt the computer’s ability to accurately measure flows.
The Target: ABB’s µFLO G5 flow computers
The ABB µFLO G5 is designed around a 32-bit ARMv8 processor and equips Ethernet, USB, and other serial I/Os. Because it runs Linux, Team82 could easily emulate the device in the lab and configure it over TCP port 9999 using unencrypted TotalFlow firmware available online.
After finding the code used to implement the protocol – located in an executable file – the researchers ran an init.d script that revealed the devLoader.exe system binary. This marked the beginning of a reverse engineering process during which they copied the filesystem to a Raspberry Pi, reproduced the directory, and created an authentication bypass that provided access to user information.
Specifically, they targeted three of the µFLO G5’s primary security and authentication mechanisms:
- Role-based access control used to assign roles and permissions for reading and writing specific attributes to the client
- A physical “Security Switch” attached to the board that enables/disables the use of passwords
- Two four-digit security passcodes that authorize data reading data and writing
The hackers set about looking for “interesting functions” they could inject error-related log strings into by searching the code for similar strings in the client and firmware, memory initializations, cyclical redundancy checks (CRCs), and so on.
“We chose the simplest approach, reading/etc/shadow and using hashcat to crack the root account password, which turned out to be root:root,” Team82 said in a statement. “Then we changed the SSH configuration file to enable root to connect using the password. Then all that was left to do was to turn on the SSH daemon using the TotalFlow protocol and to connect to it.”
The Patch Procedure:
Team82 disclosed this vulnerability to ABB, which issued a firmware update that resolves the CVE-2022-0902 Path Traversal Vulnerability. During the investigation, seven functions were patched across two binaries. The exploit affects multiple ABB products, including ABB’s RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5, UDC products.
Patching the issues involved the following steps:
- Run the binary
- Wait for the binary to crash (due to emulation/setup issues)
- Patch the function that causes the problem (e.g. skip a check)
- Back to Step 1
ABB also advises network segmentation as a mitigation strategy; further information is available in ABB’s advisory.