ABB PCM600 Vulnerabilities Overview ABB identified one use of password hash with insufficient computational effort and three insufficiently protected credentials vulnerabilities in its PCM600 product. These vulnerabilities were found by Ilya Karpov from Positive Technologies. ABB released a new version to mitigate these issues. Affected Products PCM600 up to and including Version 2.6 Impact Exploitation of these vulnerabilities could allow an attacker to edit the main application or gain access to PCM600 or connected devices. The impact to individual organizations varies based on their operational environment, architecture, and product implementation. Vulnerability Characterization Vulnerability Overview 1. Use of Password Hash with Insufficient Computational Effort (CVE-2016-4511NVD) - The main application password in the ACTConfig configuration file uses a weak hashing function. - CVSS v3 base score: 2.8 2. Insufficiently Protected Credentials (CVE-2016-4516NVD) - The main application password is stored insecurely after being changed. - CVSS v3 base score: 2.8 3. Insufficiently Protected Credentials (CVE-2016-4524NVD) - OPC Server IEC61850 authentication passwords are temporarily stored insecurely. - CVSS v3 base score: 4.6 4. Insufficiently Protected Credentials (CVE-2016-4527NVD) - PCM600 authentication credentials are stored insecurely. - CVSS v3 base score: 2.8 Exploitability These vulnerabilities are not remotely exploitable and require user interaction. Existence of Exploit No known public exploits specifically target these vulnerabilities. Difficulty A low-skilled attacker could exploit these vulnerabilities. Mitigation ABB recommends updating to PCM600 Version 2.7. Additional security practices include: Physically protecting control systems Avoiding direct internet connections Separating control systems from other networks Not using control systems for web browsing or email Scanning portable devices before connection For remote access, use secure methods like VPNs. Organizations should also follow established internal procedures for reporting suspected malicious activity to ICS-CERT.