CVE-2017-10989 ABB CVE debrief

Who should care

Organizations using B&R Automation Studio versions prior to 6.5 should prioritize patching this vulnerability. Given the critical severity and high CVSS score, defenders should treat this as a high-priority patch. Industrial control systems, being potential targets, require immediate attention to prevent exploitation.

Technical summary

The vulnerability lies in the getNodeSize function within SQLite's RTree extension. When handling undersized RTree blobs in a crafted database, it leads to a heap-based buffer over-read. This could result in unspecified impacts beyond just data leakage. The issue is exacerbated by its inclusion in various products, increasing the attack surface. A CVSS score of 9.8 highlights the critical nature of this vulnerability.

Defensive priority

High priority due to critical CVSS score of 9.8 and potential for heap-based buffer over-reads. Immediate patching is recommended for affected systems, especially in industrial control environments.

Recommended defensive actions

• Apply the patch to B&R Automation Studio by upgrading to version 6.5 or later.
• Implement general security recommendations as provided by CISA to keep systems secure.
• Conduct a thorough inventory check of all systems using affected versions of SQLite or B&R Automation Studio.
• Monitor systems for any suspicious activity that could indicate exploitation attempts.
• Consider compensating controls if immediate patching is not feasible.

Evidence notes

The CVE was initially published on 2017-09-05 and has been republished. CISA provides detailed information about the vulnerability and its impact on industrial control systems. ABB provides a fix in B&R Automation Studio 6.5. The vulnerability's criticality and widespread impact necessitate immediate attention.

Official resources