ABB B&R Automation Runtime DoS Vulnerability in SDM — Detection and Hardening Guide | Security Arsenal

A critical vulnerability has been identified in the ABB B&R Automation Runtime's System Diagnostics Manager (SDM) component. This improper resource locking vulnerability (CVSS v3 score of 10) could allow an attacker to cause a Denial of Service (DoS) condition, leading to complete service disruption. Given the widespread use of ABB B&R systems across critical infrastructure sectors—including Chemical, Communications, Critical Manufacturing, Dams, Energy, Healthcare and Public Health, Information Technology, and Water and Wastewater—immediate remediation is essential.

Technical Analysis

The vulnerability exists in the System Diagnostics Manager (SDM) component of ABB B&R Automation Runtime. It stems from improper resource locking, which could allow an attacker to cause the product to stop completely. The affected versions are:

Automation Runtime < 6.3
Automation Runtime < Q4.93

This vulnerability has been assigned a CVSS v3 score of 10.0 (Critical), reflecting its potential for high impact across confidentiality, integrity, and availability.

The vulnerability allows an attacker to exploit improper resource locking mechanisms in the SDM component. By manipulating these resources, an attacker could trigger a race condition or resource starvation scenario that leads to a complete service stop. The impact is particularly severe in industrial environments where availability is paramount.

As of this advisory's publication, there are no confirmed reports of active exploitation in the wild. However, given the severity and the accessibility of the vulnerability in affected environments, defenders should treat this as an urgent matter.

Detection & Response

To detect potential exploitation attempts or impacts of this vulnerability, implement the following detection mechanisms.

YAML

---
title: ABB B&R Automation Runtime Unexpected Service Termination
id: 9a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects unexpected termination of ABB B&R Automation Runtime processes which may indicate exploitation of the SDM DoS vulnerability.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-04
author: Security Arsenal
date: 2025/07/08
tags:
  - attack.impact
  - attack.t1499
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - 'AR_Runtime'
      - 'B&R'
    CommandLine|contains:
      - 'stop'
      - 'terminate'
  filter:
    ParentImage|contains:
      - 'Installer'
      - 'UpdateService'
  condition: selection and not filter
falsepositives:
  - Legitimate administrative shutdown
  - Scheduled maintenance
level: high
---
title: ABB B&R SDM Abnormal Resource Access Pattern
id: 8b2e1d71-8d3a-3c56-ab01-2d4a7e801234
status: experimental
description: Detects abnormal access patterns to the System Diagnostics Manager (SDM) that may indicate attempts to exploit improper resource locking.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-04
author: Security Arsenal
date: 2025/07/08
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 4800
      - 6600
    DestinationHostname|contains:
      - 'SDM'
      - 'Diagnostics'
  filter:
    SourceHostname|contains:
      - 'Admin'
      - 'Management'
      - 'SCADA'
  condition: selection and not filter
falsepositives:
  - Legitimate diagnostic operations
  - Authorized maintenance connections
level: medium

KQL — Microsoft Sentinel / Defender

// Hunt for unexpected terminations of ABB B&R Automation Runtime
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoProductName has_any ("Automation Runtime", "B&R", "AR_Runtime")
| where ActionType in ("ProcessTerminated", "ProcessStopped")
| extend Details = pack("ProcessName", FileName, "CommandLine", ProcessCommandLine, "AccountName", AccountName);
let SystemEvents = DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "DeviceCrash" and DeviceName has_any ("Automation Runtime", "B&R", "AR_Runtime")
| extend Details = pack("DeviceName", DeviceName, "AdditionalFields", AdditionalFields);
union ProcessEvents, SystemEvents
| project Timestamp, DeviceName, ActionType, Details
| order by Timestamp desc

VQL — Velociraptor

-- Hunt for abnormal ABB B&R Automation Runtime processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Siginfo
FROM pslist()
WHERE Name =~ "AR_Runtime" 
   OR Name =~ "AutomationRuntime"
   OR Name =~ "SDM"
   OR Exe =~ ".*B&R.*"

Bash / Shell

#!/bin/bash
# ABB B&R Automation Runtime SDM Vulnerability Remediation Script
# Checks version and provides hardening recommendations

echo "ABB B&R Automation Runtime SDM Vulnerability Remediation"
echo "========================================================"

# Function to check Automation Runtime version
check_version() {
    # Common paths for Automation Runtime
    paths=("/opt/abb/automation/runtime" "/usr/local/abb/runtime" "/var/abb/runtime")
    
    for path in "${paths[@]}"; do
        if [ -d "$path" ]; then
            version_file="$path/version.info"
            if [ -f "$version_file" ]; then
                version=$(cat "$version_file")
                echo "Found Automation Runtime version: $version"
                return 0
            fi
        fi
    done
    
    echo "Could not determine Automation Runtime version. Please check manually."
    return 1
}

# Function to check if SDM is running
check_sdm_status() {
    if pgrep -x "SDM" > /dev/null; then
        echo "System Diagnostics Manager (SDM) is running."
        return 0
    else
        echo "System Diagnostics Manager (SDM) is not running."
        return 1
    fi
}

# Function to check for vulnerable version
check_vulnerability() {
    if [ -z "$version" ]; then
        echo "Cannot check vulnerability without version information."
        return 2
    fi
    
    # Check if version is affected (simplified check for demonstration)
    # In practice, you would implement proper version comparison logic
    if [[ "$version" < "6.3" ]] || [[ "$version" < "Q4.93" ]]; then
        echo "VULNERABLE: Your Automation Runtime version ($version) is affected by the SDM DoS vulnerability."
        return 0
    else
        echo "SECURE: Your Automation Runtime version ($version) is not affected by the SDM DoS vulnerability."
        return 1
    fi
}

# Function to apply hardening measures
apply_hardening() {
    echo "Applying hardening measures..."
    
    # 1. Restrict network access to SDM
    echo "Configuring firewall to restrict access to SDM..."
    # iptables -A INPUT -p tcp --dport 4800 -s <allowed_ip_range> -j ACCEPT
    # iptables -A INPUT -p tcp --dport 4800 -j DROP
    
    # 2. Monitor for unusual SDM activity
    echo "Setting up monitoring for SDM process..."
    # Create monitoring script in /usr/local/bin/monitor_sdm.sh
    
    # 3. Enable additional logging
    echo "Enabling enhanced logging for Automation Runtime..."
    # Configure logging in Automation Runtime settings
    
    echo "Hardening measures applied."
}

# Main execution
check_version
check_sdm_status

if [ $? -eq 0 ]; then
    check_vulnerability
    if [ $? -eq 0 ]; then
        echo ""
        echo "REMEDIATION REQUIRED"
        echo "===================="
        echo "1. Update to Automation Runtime 6.3 or later"
        echo "2. Update to Automation Runtime Q4.93 or later"
        echo "3. If immediate patching is not possible, consider the following:"
        echo "   - Disable SDM if not required for operations"
        echo "   - Restrict network access to SDM ports"
        echo "   - Monitor closely for service disruptions"
        echo ""
        read -p "Apply hardening measures? (y/n) " -n 1 -r
        echo
        if [[ $REPLY =~ ^[Yy]$ ]]; then
            apply_hardening
        fi
    else
        echo "No immediate action required based on version check."
    fi
else
    echo "Could not perform complete vulnerability assessment."
fi

Remediation

To remediate this vulnerability, organizations using ABB B&R Automation Runtime should take the following immediate actions:

Patch to Secure Versions: Update to the latest secure versions:
- Automation Runtime 6.3 or later
- Automation Runtime Q4.93 or later
Patches are available through the ABB B&R update channel. See the official advisory for download instructions.
Network Segmentation: As a temporary mitigation before patching:
- Isolate affected systems from untrusted networks
- Implement strict firewall rules to limit access to the System Diagnostics Manager (SDM) component
- Use VPNs with multi-factor authentication for remote maintenance access
Monitor for Service Disruptions: Implement enhanced monitoring for:
- Unexpected service terminations or crashes
- Unusual resource utilization patterns
- Failed authentication attempts to SDM components
Disable Non-Essential SDM Functionality: If SDM is not required for operations, consider disabling it until patching can be completed.
Backup and Recovery: Ensure recent backups of configuration and logic files are available in case a rollback is necessary.

The CISA advisory (ICSA-26-146-04) provides additional guidance for affected organizations, particularly those in critical infrastructure sectors. Organizations should review this advisory and incorporate the recommendations into their incident response plans.

For environments where immediate patching is not possible, consider implementing compensating controls such as additional monitoring, enhanced physical security, and temporary network isolation until patches can be safely applied during scheduled maintenance windows.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

ABB B&R Automation Runtime DoS Vulnerability in SDM — Detection and Hardening Guide

Technical Analysis

Detection & Response

Remediation

Related Resources

Is your security operations ready?