CVE-2017-9664 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2017-9664?

CVE-2017-9664 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to access internal files on ABB SREA-01 and SREA-50 remote monitoring tools via directory traversal attacks. Once the password file is retrieved, attackers can crack the hash and potentially execute commands. Affected systems include specific hardware revisions and software versions of these industrial control system devices.

📋 TL;DR

This vulnerability allows unauthenticated attackers to access internal files on ABB SREA-01 and SREA-50 remote monitoring tools via directory traversal attacks. Once the password file is retrieved, attackers can crack the hash and potentially execute commands. Affected systems include specific hardware revisions and software versions of these industrial control system devices.

💻 Affected Systems

Products:

ABB SREA-01
ABB SREA-50

Versions: SREA-01 revisions A, B, C: up to 3.31.5; SREA-50 revision A: up to 3.32.8

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Legacy remote monitoring tools used in industrial control systems; vulnerability exists in default configurations.

📦 What is this software?

Srea 01 Firmware by Abb

View all CVEs affecting Srea 01 Firmware →

Srea 50 Firmware by Abb

View all CVEs affecting Srea 50 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial monitoring systems leading to unauthorized command execution, potential manipulation of industrial processes, and lateral movement within operational technology networks.

🟠

Likely Case

Unauthorized access to sensitive configuration files, password hash theft, and potential credential compromise leading to unauthorized system access.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.

🌐 Internet-Facing: HIGH - HTTP-based attack requiring no authentication makes internet-exposed systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, the lack of authentication requirement makes these systems vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit involves simple HTTP requests with directory traversal sequences; password cracking requires additional tools but is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SREA-01: above 3.31.5; SREA-50: above 3.32.8

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-222-05

Restart Required: Yes

Instructions:

1. Contact ABB for updated firmware. 2. Backup configuration. 3. Apply firmware update. 4. Restart device. 5. Verify new version is running.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable devices in separate network segments with strict firewall rules.

Access Control Lists

all

Implement strict IP-based access controls to limit HTTP access to authorized management stations only.

🧯 If You Can't Patch

Implement network-level authentication (VPN, client certificates) before allowing access to device management interfaces.
Deploy web application firewall (WAF) with directory traversal protection rules in front of vulnerable devices.

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP request to device with path traversal payload (e.g., GET /../../etc/passwd) and check for file disclosure.

Check Version:

Check device web interface or use SNMP query to verify firmware version is above vulnerable thresholds.

Verify Fix Applied:

After patching, attempt same directory traversal attacks; should receive error or access denied instead of file contents.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences
Unusual file access patterns from unauthorized IPs
Multiple failed authentication attempts following file access

Network Indicators:

HTTP requests with directory traversal patterns to industrial devices
Traffic to/from industrial devices from unexpected sources

SIEM Query:

source_ip=* AND (http_uri CONTAINS '../' OR http_uri CONTAINS '..\\') AND dest_ip=[ABB_DEVICE_IP_RANGE]

📊 Metadata

CVE ID: CVE-2017-9664

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-23

Published: May 24, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/100260 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-05 Mitigation,Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/100260 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-05 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9664, you might also want to check these: