Earlier today the folks at DHS ICS-CERT published an advisory for a buffer overflow vulnerability in a number of components of ABB products containing the ABB WebWare Server application. The vulnerability was discovered by Billy Rios and Terry McCorkle; presumably reported via a coordinated disclosure.
According to the Advisory a ‘medium skilled’ attacker could craft an exploit for these vulnerabilities that could be executed remotely. A successful attack could result in a denial of service, escalation of privilege, or execution of arbitrary code.
The vulnerable applications are, according to ABB, “legacy products nearing the end of their life cycle that are no longer actively supported”. As a result ABB is only providing generic mitigation strategies (and not even providing a direct link to those strategies) for this vulnerability. According to the Advisory; “ABB does not intend to patch these vulnerable components” (page 3).
Every software developer sets their own standards for what constitutes the ‘end of the life cycle’ for their products and establishes their own rules for what support they will provide for such ‘obsolete’ products. ABB has drawn their line in the sand here. What remains to be seen is how many of their legacy systems will remain in use with this uncorrected vulnerability. More importantly, how many of their customers will decide that the lack of support for correcting this security vulnerability will make them look to some alternative supplier for replacement systems.