CVE-2017-9664 in SREA-01
Summary
by MITRE
In ABB SREA-01 revisions A, B, C: application versions up to 3.31.5, and SREA-50 revision A: application versions up to 3.32.8, an attacker may access internal files of ABB SREA-01 and SREA-50 legacy remote monitoring tools without any authorization over the network using a HTTP request which refers to files using ../../ relative paths. Once the internal password file is retrieved, the password hash can be identified using a brute force attack. There is also an exploit allowing running of commands after authorization.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/08/2020
The vulnerability identified as CVE-2017-9664 affects ABB SREA-01 and SREA-50 legacy remote monitoring tools, representing a critical directory traversal flaw that enables unauthorized access to sensitive system components. This vulnerability stems from inadequate input validation within the web interface of these industrial security devices, specifically allowing attackers to manipulate HTTP requests through crafted relative path references using ../../ sequences. The affected versions include SREA-01 revisions A, B, and C with application versions up to 3.31.5, and SREA-50 revision A with application versions up to 3.32.8, indicating a widespread issue across multiple product lines within ABB's security monitoring portfolio.
The technical exploitation of this vulnerability occurs through HTTP requests that leverage directory traversal techniques to access internal files that should remain protected from external network access. When an attacker crafts a malicious request containing ../../ sequences in the file path parameter, the system fails to properly validate the input and instead processes the request as if it were accessing legitimate system resources. This flaw directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The vulnerability creates a pathway for attackers to bypass authentication mechanisms and gain access to sensitive configuration files, including password hash files that contain credentials for system administration access.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as successful exploitation leads to full system compromise through credential harvesting and command execution capabilities. Once an attacker retrieves the internal password file, they can perform brute force attacks against the password hashes to obtain valid administrative credentials, effectively providing complete control over the affected monitoring systems. The subsequent ability to execute commands after authorization represents a critical escalation path that allows attackers to manipulate system behavior, install malicious software, or establish persistent access points within the industrial control environment. This vulnerability particularly affects industrial security infrastructure where maintaining system integrity and preventing unauthorized access to monitoring tools is paramount for operational continuity and cybersecurity posture.
Security professionals should implement immediate mitigations including network segmentation to isolate affected systems from untrusted networks, deployment of web application firewalls to detect and block directory traversal attempts, and mandatory firmware updates to patched versions that address the path traversal vulnerability. Organizations must also conduct comprehensive vulnerability assessments of their industrial control systems to identify all instances of affected ABB products and ensure proper access controls are implemented. The ATT&CK framework categorizes this vulnerability under T1071.004 for application layer protocol and T1068 for exploit for privilege escalation, highlighting the multi-stage nature of exploitation that begins with initial access through path traversal and culminates in system compromise through credential abuse and command execution. Regular security monitoring and log analysis should be implemented to detect anomalous access patterns that may indicate exploitation attempts, while maintaining strict change control processes to prevent unauthorized modifications to critical system components.