Detections
Analytics

ABB M2M Gateway Arbitrary File Write in embedded Rsync (CVE-2022-29154)

high Tenable OT Security Plugin ID 503264

Synopsis

The remote OT asset is affected by a vulnerability.

Description

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The- Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

For more information, please refer to ABB's Cybersecurity Advisory 2NGA002579. It provides a comprehensive mapping of mitigation applicability in relation to each individual vulnerability listed.

ABB recommends the following mitigations:

- Obtain a cellular private access point (APN). A dedicated private cellular access point and respective SIM card subscriptions can be requested from the cellular service provider. This service doesn't expose the traffic between remote sites and the main site to the Internet but rather uses the cellular operator's private wide area network (WAN).
Therefore, the ARM600 wouldn't need open ports to the Internet.
- Avoid exposing any system component to the Internet. If the ARM600 must be exposed to the Internet, only the VPN port should be opened towards the Internet (e.g., Patrol management connections can be configured to use a VPN tunnel, and remote administration connections can be implemented using an OpenVPN PC-client).
- The ARM600 system is by default not dependent on the name service (DNS). If the name service is not used in the system, the name service port (TCP/UDP Port 53) can be blocked by a firewall.
- Perform firewall configuration using the 'allowlisting' principle, explicitly allowing only the required ports and protocols and blocking all other traffic.
- Filter specific ICMP packets from external systems (ICMP type 13 and 14) using a firewall to avoid exposing the system time.
- If the Internet is used as a WAN medium for carrying VPN tunnels, use a demilitarized zone (DMZ) for terminating connections from the Internet. Remote connections should terminate in the DMZ network, which would be segregated from other networks by a firewall. The ARM600 server should be located in this DMZ.
- Change the default user credentials of ARM600 and Arctic wireless gateways into non-defaults and use complex non- guessable passwords with special characters. Do not reuse passwords within the system.
- Use administrator (i.e., root user) privileges only when required by the task.
- Supporting systems, such as PCs used for configuration, should be frequently updated. If possible, use dedicated site PCs for upgrading and engineering purposes. At a minimum, PCs should be investigated by running a full virus scan with recently updated signature files before introducing the PC to the OT system. Any data, such as device configurations and firmware update files, should be virus scanned prior to transferring to the Arctic system.
- Introduce a backup policy to ensure periodic backups and backup revision numbering. Consider the following:a. Check that the entire system has backups available from all applicable parts.b. Store the backups in a safe place (e.g. in an encrypted storage), restricted by role-based access control mechanisms.c. Ensure the security of the configuration PCs that may have local copies of device configurations.d. Validate the backups to ensure they are working.
- Follow cyber security best practices for installation, operation, and decommissioning as described in the product's cyber security deployment guideline and user manual.
- Use continuous monitoring (e.g., intrusion detection/prevention tools) to detect anomalies in the system.
- Consider hardening the system according to the following:a. Remove any unnecessary communication links in the system.b. If possible, close unused physical ports.c. Open only the necessary TCP/UDP ports in the configuration.d.
Remove all unnecessary user accounts.e. Restrict traffic by firewall.f. Allow the traffic only from/to necessary hosts' IP addresses (i.e., define both source and destination in the firewall rules, where possible).g. Define client IP address as allowed address in SCADA communication protocols, if such configuration is supported.h. Remove or deactivate all unused processes, communication ports, and services where possible.i. Use physical access controls to the system installations (e.g., to server rooms and device cabinets).
- In ARM600SW installations, avoid servers with AMD processors vulnerable to the following: CVE-2021-26401, CVE-2023-20569 and CVE-2023-20593.
- Avoid using AX88179_178A chipset-based USB-to-ethernet devices.

ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of software-related ABB products:

- Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general purpose network (e.g., office or home networks).
- Install physical controls to ensure no unauthorized personnel can access the devices, components, peripheral equipment, and networks.
- Never connect programming software or computers containing programming software to any network other than the network intended for the devices.
- Scan all data imported into the environment before use to detect potential malware infections.
- Minimize network exposure for all applications and endpoints to ensure they are not accessible from the Internet unless they are designed for such exposure and the intended use requires it.
- Ensure all nodes are always up to date with installed software, operating system, and firmware patches, as well as anti-virus and firewall updates.
- When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

See Also

https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-08

http://www.nessus.org/u?310ae51a

http://www.openwall.com/lists/oss-security/2022/08/02/1

https://github.com/WayneD/rsync/tags

http://www.nessus.org/u?7c3bb421

http://www.nessus.org/u?81131198

Plugin Details

Severity: High

ID: 503264

File Name: tenable_ot_abb_CVE-2022-29154.nasl

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 5/27/2025

Updated: 2/14/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v3

Risk Factor: High

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Vulnerability Information

CPE: cpe:/o:abb:sw_firmware, cpe:/o:abb:arm600_firmware

Required KB Items: Tenable.ot/ABB

Exploit Ease: No known exploits are available

Patch Publication Date: 8/2/2022

Vulnerability Publication Date: 8/2/2022

Reference Information

CVE: CVE-2022-29154

CWE: 20

ICSA: 25-105-08