CVE-2018-20720 in Relion 630
Summary
by MITRE
ABB Relion 630 devices 1.1 before 1.1.0.C0, 1.2 before 1.2.0.B3, and 1.3 before 1.3.0.A6 allow remote attackers to cause a denial of service (reboot) via a reboot command in an SPA message.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/01/2020
The vulnerability identified as CVE-2018-20720 affects ABB Relion 630 devices running specific firmware versions, presenting a significant remote denial of service risk that could compromise industrial control systems. This vulnerability resides within the device's communication protocol handling mechanism, specifically in how it processes Secure Packet Authentication (SPA) messages containing reboot commands. The affected versions include 1.1 before 1.1.0.C0, 1.2 before 1.2.0.B3, and 1.3 before 1.3.0.A6, indicating a widespread issue across multiple firmware releases that were designed for industrial automation and control applications.
The technical flaw manifests when an unauthenticated remote attacker can craft and transmit a specially formatted SPA message containing a reboot command to the affected device. This vulnerability operates at the network protocol level and represents a weakness in input validation and authentication mechanisms. The device lacks proper sanitization of incoming SPA messages, allowing malicious actors to exploit the absence of proper command verification procedures. According to CWE classification, this vulnerability maps to CWE-129 Input Validation, as the system fails to properly validate and sanitize incoming commands before executing them. The flaw also aligns with CWE-347 Improper Verification of Cryptographic Signature, since the SPA message authentication may not be properly verified before command execution.
The operational impact of this vulnerability extends beyond simple service disruption, potentially affecting critical industrial processes that rely on continuous operation of ABB Relion 630 devices. These devices are commonly deployed in power generation, transmission, and distribution systems where unexpected reboots could lead to cascading failures or safety hazards. The remote nature of the attack means that adversaries do not require physical access or network credentials to exploit the vulnerability, making it particularly dangerous in industrial environments where network segmentation may not be comprehensive. This vulnerability directly relates to the ATT&CK technique T1499.004, specifically Denial of Service via Resource Exhaustion, where the attacker can cause device reboot through legitimate command processing without requiring additional resources or complex attack chains.
Mitigation strategies should prioritize immediate firmware updates to the latest available versions that address this vulnerability, as ABB has likely released patches containing proper input validation and authentication mechanisms. Network segmentation and firewall rules should be implemented to restrict access to these devices, limiting the attack surface and preventing unauthorized network access. Additionally, monitoring systems should be configured to detect unusual reboot patterns or unauthorized SPA message traffic, providing early warning capabilities. The implementation of secure network protocols and authentication mechanisms should be enforced to prevent unauthorized command execution, while regular security assessments should be conducted to identify similar vulnerabilities in industrial control system components. Organizations should also consider implementing intrusion detection systems specifically tuned to detect SPA message anomalies and establish incident response procedures for handling potential exploitation attempts.