CVE-2023-3322 – This vulnerability allows low-privileged users ... (How to Fix)

Q: What is the severity of CVE-2023-3322?

CVE-2023-3322 has a CVSS score of 7.0 (HIGH). This vulnerability allows low-privileged users to read and modify data in Zenon system directories, potentially enabling unauthorized access and manipulation of critical industrial control system data. It affects ABB Ability™ zenon installations from version 11 build through 11 build 106404.

📋 TL;DR

This vulnerability allows low-privileged users to read and modify data in Zenon system directories, potentially enabling unauthorized access and manipulation of critical industrial control system data. It affects ABB Ability™ zenon installations from version 11 build through 11 build 106404.

💻 Affected Systems

Products:

ABB Ability™ zenon

Versions: From version 11 build through 11 build 106404

Operating Systems: Windows (typical for SCADA/ICS systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations within the vulnerable version range; typical in industrial control system environments.

📦 What is this software?

Zenon by Abb

View all CVEs affecting Zenon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify configuration files, disrupt industrial processes, manipulate operational data, or establish persistence in critical infrastructure systems.

🟠

Likely Case

Unauthorized data access and modification leading to operational disruption, data integrity issues, or information disclosure in industrial environments.

🟢

If Mitigated

Limited impact with proper access controls, network segmentation, and monitoring in place to detect unauthorized directory access attempts.

🌐 Internet-Facing: MEDIUM - While typically not internet-facing, if exposed, it could allow remote attackers to compromise industrial control systems.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts could exploit this to manipulate critical industrial processes and data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires low-privileged user access; exploitation involves specially crafted programs targeting Zenon directory permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version beyond 11 build 106404

Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590

Restart Required: Yes

Instructions:

1. Download the patch from ABB's official advisory. 2. Backup current configuration and data. 3. Apply the update following ABB's installation instructions. 4. Restart the system as required. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Directory Permissions

windows

Manually adjust directory permissions to restrict low-privileged user access to Zenon system directories

icacls "C:\Program Files\ABB\zenon\*" /deny "Users":(OI)(CI)F
icacls "C:\ProgramData\ABB\zenon\*" /deny "Users":(OI)(CI)F

Implement Least Privilege Access

all

Review and restrict user accounts to minimum necessary permissions for Zenon operations

🧯 If You Can't Patch

Implement strict network segmentation to isolate Zenon systems from general network access
Deploy enhanced monitoring and alerting for unauthorized directory access attempts

🔍 How to Verify

Check if Vulnerable:

Check Zenon version in Help > About or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\ABB\zenon\Version

Check Version:

reg query "HKLM\SOFTWARE\ABB\zenon" /v Version

Verify Fix Applied:

Confirm version is beyond 11 build 106404 and test directory permissions with low-privileged accounts

📡 Detection & Monitoring

Log Indicators:

Failed or successful access attempts to Zenon directories by non-administrative users
Unexpected file modifications in Zenon system directories

Network Indicators:

Unusual network traffic from Zenon hosts
Unexpected connections to Zenon directory shares

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName LIKE "%zenon%" AND SubjectUserName NOT IN ("Administrator", "SYSTEM")

📊 Metadata

CVE ID: CVE-2023-3322

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: July 24, 2023

Last Updated: November 21, 2024

🔗 References

https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590 Mitigation,Technical Description,Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590 Mitigation,Technical Description,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3322, you might also want to check these: