Information disclosure in ABB SREA-01 and SREA-50

Published: 2017-08-10 00:00:00 | Updated: 2017-08-15 13:18:57
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 5.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-9664
CWE ID CWE-23
Exploitation vector Network
Public exploit Not available
Vulnerable software SREA-01
SREA-50
Vulnerable software versions SREA-01 3.31.5
SREA-50 3.32.8
Vendor URL ABB
Advisory type Public

Security Advisory

1) Relative path traversal

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to relative path traversal. A remote attacker can send a specially crafted HTTP request, perform relative path traversal attack and gain access to internal files, view data, change configuration, retrieve password hash codes, and potentially insert and send commands to connected devices without authorization.

Remediation

Update to the latest version.
http://search-ext.abb.com/library/Download.aspx?DocumentID=9AKK107045A1782&LanguageCode=en&a...

External links

https://ics-cert.us-cert.gov/advisories/ICSA-17-222-05

Back to List