ASKI Energy ALS-Mini-S8 and ALS-Mini-S4

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to gain full control over the device.

CVEs (1)

Remediations

• ABB, the parent company of ASKI, reports that the affected products reached their end of life in 2022. As these products are no longer supported, there are no plans for a fix. ABB recommends the following mitigations:
• Ensure the product is not exposed to the public internet.
• Within the control system, put the product behind firewall, to strictly control network traffic only from limited whitelisted IPs or alternatively, route the traffic through a secure proxy that enforces authentication and logging.
• Monitor product access using firewall, IDS, or IPS, and configure alerts for any access attempts from non-whitelisted IPs.
• Ensure surrounding systems are fully updated to reduce attack vectors.
• Additionally ABB recommends the following work around:
• Physically disconnect the ethernet port if embedded web server is not being used.
• The embedded web server and all its functionalities, incl. load monitoring, alarms, remote configuration, etc. will not be accessible. However, the product will continue functioning as normal based on configured control parameters.
• For more information, please reference ABB's security advisory 4TZ00000006007.

Affected Vendors

Affected Products (2)

Affected Sectors

Energy, Critical Manufacturing