CVE-2023-39417 ABB CVE debrief

Who should care

OT/ICS defenders, ABB Ability Symphony Plus operators, S+ Engineering administrators, and teams responsible for PostgreSQL-backed industrial engineering systems should review exposure. Sites running the affected S+ Engineering versions and allowing access to the S+ client/server network should prioritize this advisory.

Technical summary

The vulnerability is described as a code-execution issue that depends on two conditions: administrator-installed Extension scripts and attacker-controlled data being used within a quoting construct. The attacker must already have proper PostgreSQL privileges, and the advisory states that exploitability requires access to the site’s S+ client/server network. CISA republishes ABB PSIRT guidance indicating the affected product range spans S+ Engineering 2.2 through 2.4 SP2, with remediation by upgrading to 2.4 SP2 RU1 or later. No workaround is available.

Defensive priority

High. The CVSS score is 7.5 (HIGH), and the potential impact includes arbitrary code execution as the administrator. Prioritize internet-exposed or broadly reachable OT environments first, then confirm version status and update path for all affected deployments.

Recommended defensive actions

• Verify whether ABB Ability Symphony Plus S+ Engineering is installed and determine whether any system is running versions 2.2 through 2.4 SP2.
• Upgrade affected systems to S+ Engineering 2.4 SP2 RU1 or later as recommended by ABB.
• If immediate upgrading is not possible, apply ABB’s mitigating guidance and restrict access to the S+ client/server network using network architecture and perimeter firewall controls.
• Review whether administrator-installed Extension scripts are present and limit their use to only what is necessary.
• Validate PostgreSQL privilege assignments and remove unnecessary privileges from accounts that do not require them.
• Follow ABB’s general security recommendations for industrial control systems and CISA’s ICS defensive guidance.
• Treat systems with direct or unnecessary network reachability as higher priority for segmentation and access-control review.

Evidence notes

Source corpus states the advisory title is “ABB Ability Symphony Plus Engineering” and the CISA CSAF item is an initial republication of ABB PSIRT advisory 7PAA017341. The advisory description says that when an administrator has installed Extension scripts and specific data is used inside a quoting construct, an attacker with proper PostgreSQL privileges can execute arbitrary code as the administrator. Remediation text states that systems using S+ Engineering 2.2 through 2.4 SP2 should upgrade to 2.4 SP2 RU1 (re-leased in December 2024) or later, and that no workaround is available. The source also notes that exploitation requires access to the site’s S+ client/server network and that network architecture and perimeter firewall controls are mitigating factors.

Official resources