ABB Ability Camera Connect
ABB Ability Camera Connect versions 1.5.0.14 and earlier contain multiple critical and high-severity vulnerabilities due to an outdated bundled VLC media player component. These flaws, including buffer overflows and integer underflows, could allow an attacker to execute arbitrary code or cause a denial of service via crafted media files. The risk is significantly reduced as the application is typically deployed in isolated, air-gapped ICS environments.
Authors: CISA, ABB PSIRT
Source:
CISA
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
- cve
Detection / HunterGoogle
What Happened
ABB Ability Camera Connect, a software used in industrial environments, was found to include an outdated and vulnerable version of the VLC media player. If an attacker tricks a user into opening a specially crafted media file, they could crash the system or run malicious code. However, because this software is usually installed on isolated computers without internet access, the actual risk of this happening is very low. Organizations using this software should update to version 1.5.0.15 or manually update the VLC media player component to stay secure.
Key Takeaways
- ABB Ability Camera Connect versions 1.5.0.14 and prior bundle a vulnerable version of VLC media player.
- The vulnerabilities include heap-based buffer overflows, integer underflows, and use-after-free flaws that could allow arbitrary code execution or denial of service.
- Exploitation requires local access or the opening of maliciously crafted media files (e.g., MKV, MP4, ASF, subtitles).
- Risk is heavily mitigated by the fact that the software is typically deployed in fully isolated, air-gapped environments.
- Updating the VLC media player component or upgrading to ABB Ability Camera Connect 1.5.0.15 remediates the vulnerabilities.
Affected Systems
- ABB Ability Camera Connect <= 1.5.0.14
- Windows
Vulnerabilities (CVEs)
- CVE-2024-46461
- CVE-2023-47360
- CVE-2023-47359
- CVE-2023-46814
- CVE-2022-41325
- CVE-2020-26664
- CVE-2019-19721
- CVE-2019-13962
- CVE-2019-13615
- CVE-2019-13602
- CVE-2019-5460
- CVE-2019-5459
- CVE-2019-5439
- CVE-2018-11529
- CVE-2017-17670
- CVE-2017-10699
- CVE-2017-9301
- CVE-2017-9300
- CVE-2017-8313
- CVE-2017-8312
- CVE-2017-8311
- CVE-2017-8310
Attack Chain
An attacker crafts a malicious media file (such as an MKV, MP4, ASF, or subtitle file) designed to exploit one of the parsing vulnerabilities in the outdated VLC media player component. The attacker then introduces this file into the isolated environment, potentially via physical media or an insider threat. When a user opens the crafted file using the vulnerable ABB Ability Camera Connect software, the exploit triggers a memory corruption issue (e.g., buffer overflow or use-after-free). This results in either a denial of service (application crash) or the execution of arbitrary code with the privileges of the user running the application.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect application crashes (DoS) and unexpected child processes spawning from the VLC media player process, but may not have visibility into the specific memory corruption events without advanced memory scanning. Network Visibility: None — The affected systems are deployed in fully isolated, air-gapped environments with no network ingress/egress. Detection Difficulty: Moderate — Detecting the exploitation relies on observing post-exploitation behavior (like shell execution from VLC) or application crashes, as the initial vector is a local file open.
Required Log Sources
- Windows Event Logs (Application crashes)
- EDR Process Telemetry
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected child processes (e.g., cmd.exe, powershell.exe) spawning from the VLC media player executable within the ABB Ability Camera Connect directory. | Process creation events (Event ID 4688 or Sysmon Event ID 1) | Execution | Low |
| Consider monitoring for frequent or unexpected application crash events (Event ID 1000) associated with the VLC media player component, which may indicate failed exploitation attempts. | Windows Application Event Logs | Execution | Medium |
Control Gaps
- Lack of file sanitization for media files introduced via physical media (USB) into air-gapped environments.
Key Behavioral Indicators
- VLC process spawning unexpected shells
- VLC application crashes (Event ID 1000)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider updating ABB Ability Camera Connect to version 1.5.0.15, which includes the patched VLC component.
- If a full application update is not immediately feasible, evaluate whether manually updating the bundled VLC Media Player component is supported in your environment.
Infrastructure Hardening
- Ensure that systems running ABB Ability Camera Connect remain in fully isolated, air-gapped environments with no internet access.
- Evaluate whether strict controls on physical media (e.g., USB drives) can be enforced to prevent the introduction of untrusted media files into the isolated environment.
User Protection
- Consider restricting write access to the application installation directories to prevent unprivileged users from placing malicious DLLs (mitigating CVE-2023-46814).
Security Awareness
- Consider training personnel operating in air-gapped environments on the risks of introducing unauthorized or untrusted media files via physical storage.
MITRE ATT&CK Mapping
- T1203 - Exploitation for Client Execution
- T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking