ABB Ability Camera Connect

Risk Summary

ABB is aware of public reports of vulnerabilities in a 3rd party component VLC media player Version 2.2.4 which was delivered together with the installation package of Camera Connect Version 1.5.0.14 and below. An update is available that resolves a privately reported outdated 3rd party component with vulnerabilities in the product versions listed as affected in this advisory. An attacker who successfully exploited any of these vulnerabilities in the 3rd party component could potentially compromise the system in different ways.

CVEs (22)

Remediations

• The VLC-based component operates solely within completely isolated environments without internet access or any connectivity to external networks. Consequently: • No exposure to untrusted MMS streams: The integer overflow vulnerability relies on handling a maliciously crafted external stream, which is not possible in isolated environments • No remote attacker access: Without network ingress, attackers cannot trigger the vulnerability remotely. • Drastically reduced attack surface: The absence of any external media inputs effectively neutralizes the exploit path, significantly lowering the risk of both denial of service and code execution.
• The problem is corrected in the following product versions: ABB Ability Camera Connect 1.5.0.15 The 3rd party component has already been updated. The easiest path to mitigate the problem is an update of just VLC Media Player by the customer. ABB recommends that customers apply the update at earliest convenience. It is also possible to update to the latest Version of Camera Connect.
• • Air-gapped environments only: Camera Connect is deployed in completely isolated environments lacking any network connectivity or internet access. • No exposure to MMS streams: The vulnerability depends on processing crafted MMS streams, which cannot originate from external or internal network sources when the system is air-gapped. • Elimination of remote attack surface: Without any method for an attacker to deliver malicious media inputs, the vulnerability cannot be triggered remotely. • Strong reduction in exploitation risk: The combined absence of external media ingestion and unavailable network paths effectively neutralizes the integer underflow exploit, significantly reducing the likelihood of both denial-of-service and memory corruption scenarios.
• The problem is corrected in the following product versions: ABB Ability Camera Connect 1.5.0.15 The 3rd party component has already been updated. The easiest path to mitigate the problem is an update of just VLC Media Player by the customer. ABB recommends that customers apply the update at earliest convenience. It is also possible to update to the latest Version of Camera Connect.
• Given that Camera Connect is deployed exclusively in fully isolated, air-gapped environments with no internet access or external network connectivity, the following risk-reduction factors apply: • No exposure to crafted MMS streams: The exploit requires the receipt of specially crafted packets via the MMS protocol, which cannot occur without network connectivity. • Network attack vector eliminated: As the vulnerability’s CVSS vector highlights a network-based attack (AV:N), the lack of any ingress network path nullifies the attack surface. • Low likelihood of exploitation: Without access to malicious media input, there is effectively no practical method for an attacker to trigger memory corruption, making the likelihood of denial of service or arbitrary code execution negligible.
• Given that the VLC-based component is installed exclusively within air-gapped environments under strict administrative control, the following factors substantially reduce risk: • Restricted user access: Only trusted, privileged users perform installations and modifications. Standard users have no write permissions to the uninstaller directory. • No internet or network access: The exploit requires local manipulation of VLC’s uninstaller files; without external connectivity, remote coercion or manipulation is impossible. • Elimination of attacker vector: In air gapped deployments with administrative controls, un-privileged users cannot place malicious DLLs or executables in the uninstaller’s search path. • Minimized privilege escalation risk: The combination of controlled write access, absence of network exposure, and trusted user roles effectively neutralizes the binary hijacking threat, rendering successful exploitation highly unlikely.
• Camera Connect is deployed exclusively in air-gapped environments with no internet connectivity or external network access, which significantly reduces the risk: • No exposure to malicious MKV files: The exploit requires a specially crafted Matroska file. In controlled environments without external media sources, such files cannot be introduced. • Remote attack vector eliminated: The vulnerability’s CVSS vector indicates a network-based attack scenario, which is impossible without connectivity. • Strict operational controls: Media ingestion is limited to trusted sources under administrative supervision, further minimizing the likelihood of malicious file introduction. • Effective risk reduction: These combined factors render exploitation highly improbable, neutralizing the buffer overflow threat.
• • No exposure to malicious ASF files: The exploit requires a specially crafted ASF file. In con-trolled environments without external media sources, such files cannot be introduced. • Remote attack vector eliminated: The vulnerability’s CVSS vector indicates a network-based attack scenario, which is impossible without connectivity. • Strict operational controls: Media ingestion is limited to trusted sources under administrative supervision, further minimizing the likelihood of malicious file introduction. • Effective risk reduction: These combined factors render exploitation highly improbable, neutralizing the buffer overflow threat.
• • No exposure to malicious ASF files: The exploit requires a specially crafted ASF file. In con-trolled environments without external media sources, such files cannot be introduced. • Remote attack vector eliminated: The vulnerability’s CVSS vector indicates a network-based attack scenario, which is impossible without connectivity. • Strict operational controls: Media ingestion is limited to trusted sources under administrative supervision, further minimizing the likelihood of malicious file introduction. • Effective risk reduction: These combined factors render exploitation highly improbable, neutralizing the buffer overflow threat.
• • No exposure to malicious MKV files: The exploit requires a specially crafted MKV file. In con-trolled environments without external media sources, such files cannot be introduced. • Remote attack vector eliminated: The vulnerability’s CVSS vector indicates a network-based attack scenario, which is impossible without connectivity. • Strict operational controls: Media ingestion is limited to trusted sources under administrative supervision, further minimizing the likelihood of malicious file introduction. • Effective risk reduction: These combined factors render exploitation highly improbable, neutralizing the buffer overflow threat.
• • No exposure to malicious ASF files: The exploit requires a specially crafted ASF file. In con-trolled environments without external media sources, such files cannot be introduced. • Remote attack vector eliminated: The vulnerability’s CVSS vector indicates a network-based attack scenario, which is impossible without connectivity. • Strict operational controls: Media ingestion is limited to trusted sources under administrative supervision, further minimizing the likelihood of malicious file introduction. • Effective risk reduction: These combined factors render exploitation highly improbable, neutralizing the buffer overflow threat.
• The affected software is deployed exclusively in isolated environments with no internet connectivity and restricted external access. Exploitation of this vulnerability requires a user to open a specially crafted MKV file provided by an attacker. Since the system operates in a controlled network without exposure to untrusted sources, the likelihood of receiving and executing malicious media files is significantly reduced. Additionally, operational procedures can enforce the use of trusted media files only, further minimizing the risk.
• The affected VLC component is deployed exclusively in fully isolated, air gapped environments with no internet connectivity and tightly controlled external sources. Exploitation of CVE 2017 17670 re-quires a user to open a specifically crafted MP4 file containing a type conversion error in the demuxer. Since the system only processes trusted media files—validated through internal procedures and se-cured media channels—the probability of exposure to hostile MP4 content is minimal. Therefore, the risk of successful exploitation is significantly mitigated by the restricted deployment context.
• No network-based exposure: The vulnerability requires an external actor to supply malicious media content. With no Internet connectivity and presumably controlled file sources, the risk of loading un-trusted files is minimal.
• This vulnerability affects the libmpgatofixed32_plugin.dll module in VLC 2.2.4, which is responsible for decoding MPEG audio streams. The software in question does not process audio files or use any functionality related to audio decoding, meaning the vulnerable component is never invoked during normal operation. Additionally, the deployment environment is fully offline with no internet connectivity, and media ingestion is restricted to trusted internal sources. As a result, the attack surface for this vulnerability is effectively nonexistent, and the risk of exploitation is negligible under these conditions.
• This vulnerability affects VLC’s FLAC audio processing component. Camera Connect does not handle or process audio files, meaning the vulnerable code path is never executed during normal operation. Combined with the fact that the deployment environment is fully isolated (air gapped) and does not allow external file transfers from untrusted sources, the likelihood of exploitation is effectively eliminated.
• Even though the affected VLC version (2.2.4) contains this vulnerability, the software is deployed in fully air-gapped environments with no external or internet-facing connectivity. As a result, the likeli-hood of exploiting this vulnerability is extremely low.
• Because the affected VLC version (2.2.4) suffers from a heap out of bound read in the ParseJSS function—allowing an attacker to read uninitialized heap data via a crafted subtitles file—the risk of external exploitation is significantly reduced in your environment. Since the software is installed in strictly isolated systems with no internet access, no external attacker can deliver malicious subtitle files re-motely. Consequently, the only remaining exposure is local: an insider would need to intentionally load a crafted subtitle file to trigger the issue—a scenario considered highly unlikely under current governance and usage controls.
• Since the application is deployed exclusively in isolated, air-gapped environments with no external network connectivity, the attack vector—specifically, the ability for an attacker to deliver a crafted subtitle file—is significantly constrained.
• Because your team’s VLC based software is deployed only in isolated environments without internet access, the risk of malicious delivery of crafted subtitle files is greatly diminished. This significantly reduces exploitation likelihood.

Affected Vendors

Affected Products (2)

Affected Sectors

Chemical, Commercial Facilities, Communications, Critical Manufacturing, Energy, Transportation Systems