Security Advisory – Critical Vulnerability in B&R Automation Runtime FTP Component (CVE-2024-0323)

Summary:
B&R has released a security update addressing a critical vulnerability, CVE-2024-0323, affecting the FTP server component of B&R Automation Runtime versions prior to I4.93. This flaw allows unauthenticated attackers to conduct man-in-the-middle attacks or decrypt communications due to the use of insecure encryption mechanisms, including SSLv3, TLSv1.0, and TLSv1.1.

Details:
The vulnerability, identified with a CVSS v3.1 Base Score of 9.8 (Critical), exposes users to significant security risks, potentially enabling attackers to intercept and decrypt data transmitted between the affected products and other parties. B&R’s cybersecurity advisory emphasizes the importance of updating to version I4.93 to mitigate these risks effectively.

Mitigation:
B&R recommends that all users of affected versions promptly apply the security update to protect against potential exploits. The advisory also outlines general security recommendations for enhancing the protection of B&R systems, including network isolation, physical controls, and the use of secure remote access methods.

Acknowledgment:
The vulnerability was reported by ABB’s Device Security Assurance Center, highlighting the collaborative effort within the cybersecurity community to identify and address potential threats.

For further details and support, users are encouraged to consult the official B&R documentation or contact their local service organization

Source: https://www.br-automation.com/fileadmin/SA23P018_SDM_Web_interface_vulnerable_to_XSS-1d75bee8.pdf