Ddos 
ABB has issued a Cyber Security Advisory addressing a critical session management vulnerability affecting its EIBPORT V3 products used in building automation systems. The flaw, tracked as CVE-2024-13967, could allow unauthorized access to sensitive configuration pages through a web session hijacking technique known as Session Fixation.
The vulnerability affects EIBPORT firmware versions ≤3.9.8, including both LAN and GSM-enabled models. According to ABB, the flaw is rooted in the improper handling of web session identifiers:
“This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT.”
With a CVSS v3.1 base score of 8.8 (and 9.4 in CVSS v4.0), the vulnerability is classified as high severity, posing a serious threat to exposed installations.
The core issue, as explained in the advisory, is a failure in secure session management—specifically, a CWE-384: Session Fixation vulnerability. ABB clarifies:
“The session management of vulnerable FW versions of EIBPORT fails to maintain a secure session management.”
While ABB states that the vulnerability is not exploitable remotely under standard deployment scenarios, it also warns that:
“ABB became aware that some customers have commissioned EIBPORT not according to these best practices but have made the IP address to the device accessible over the Internet… against the intended use of the system.”
If exposed, an attacker could bypass authentication, gain access to system configurations, and potentially alter device behavior.
ABB has released firmware version 3.9.9, which fully addresses the vulnerability by improving how the device validates login credentials and session tokens.
“The update removes the vulnerabilities by modifying the way that the device firmware verifies login credentials and token or session identifiers. Furthermore, it hardens the product configuration wherever possible.”
Customers are strongly advised to apply the update immediately and follow additional hardening guidelines provided in ABB’s documentation.
Related Posts:
- Urgent Action Needed: ABB ASPECT Vulnerabilities Expose Buildings to Cyberattacks
- ABB Door Communication Systems exposed serious flaws
- CVE-2024-56529: mailcow Patches Session Fixation Vulnerability in Web Panel
- ABB ASPECT BMS Critical Flaws: RCE and Privilege Escalation Risks
- CVE-2024-51547 (CVSS 9.8): Hard-Coded Credentials in ABB ASPECT
Donate