The vulnerabilities exposed the system’s database to attacks
The Austrian company B&R1, part of the ABB group, thanked Natalya Tlyapova, Senior Security Researcher at Application Analysis at Positive Technologies, for discovering five database vulnerabilities in the APROL industrial process control system. The solution is used in various industries, including energy, oil and gas, engineering, and food. The vendor was notified of the threat as part of the responsible disclosure policy and fixed the vulnerabilities in new versions of the sotware.
"The biggest threats were three vulnerabilities that allow a remote code execution attack," said Natalya Tlyapova. "These are CVE-2022-43761 (CVSS v3.1 score of 9.4), CVE-2022-43762 (score of 7.5), and CVE-2022-43764 (score of 9.8). Attackers could have combined these bugs to infiltrate a server running B&R APROL, with CVE-2022-43761 allowing to read and corrupt data in the system’s database. Such changes could lead to abnormal functioning of the control system and disrupt the technological process."
Users must install patched versions of the APROL system (R 4.2-07 with AutoYaST or V4.2-070.0.120102). These updates ensure secure access to the database using TLS encryption2.
To search for traces of information security violations in ICS networks and discover cyberattacks at early stages, Positive Technologies offers a hardware and software suite for deep analysis of industrial traffic, PT Industrial Security Incident Manager (PT ISIM), which can detect exploitation of the APROL vulnerabilities described here. PT ISIM is part of the PT Industrial Cybersecurity Suite, a platform for cyberthreat detection and incident response in industrial systems.
This is not the first time Positive Technologies’ research has allowed B&R to improve the security of its products. In 2019, Positive Technologies helped fix multiple vulnerabilities in 12 components of the B&R APROL system.