CVE-2022-1607
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ABB | Pulsar Plus System Controller NE843_S | comcode 150042936 | affected |
| ABB | Infinity DC Power Plant | H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415 | affected |
Weaknesses
- CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)
Workarounds
A workaround is to use the controller’s Read/Write Enable/Disable feature for a network port (NET1,WRE=0). The controller can disable all writes over the network port. The factory default is to have the write capability enabled. However, some customers do not want settings to be remotely changed once systems are set. This feature, when set to Disable, will allow no changes to be accepted. Once set it can only be changed locally through the front panel. ABB has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors. When a workaround reduces functionality, this is identified below as “Impact of workaround”
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.