SB2020060315 - Information disclosure in ABB Central Licensing System

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2020-8481)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to and error in the Central Licensing System. A local user can gain unauthorized access to sensitive material within log files, which could be used to obtain full administrative control of the host.

This vulnerability affects the following ABB CLS products:

• ABB Ability System 800xA and related system extensions: Versions 5.1, 6.0, 6.1
• Compact HMI: Versions 5.1, 6.0
• Control Builder Safe: Versions 1.0, 1.1, 2.0
• ABB Ability Symphony Plus – S+ Operations: Versions 3.0 to 3.2
• ABB Ability Symphony Plus – S+ Engineering: Versions 1.1 to 2.2
• Composer Harmony: Versions 5.1, 6.0, 6.1
• Composer Melody (incl. SPE for Melody 1.0 SPx): Versions 5.3, 6.1, 6.2, 6.3
• Harmony OPC Server (HAOPC): Standalone Versions 6.0, 6.1, 7.0
• ABB Ability System 800xA / Advant OCS Control Builder A: Versions 1.3, 1.4
• Advant OCS AC 100 OPC Server: Versions 5.1, 6.0, 6.1
• Composer CTK: Versions 6.1, 6.2
• AdvaBuild: Versions 3.7 SP1, 3.7 SP2
• OPC Server MOD 300 (non-800xA): Version 1.4
• OPC Data Link: Versions 2.1, 2.2
• ABB Ability Knowledge Manager: Versions 8.0, 9.0, 9.1
• ABB Ability Manufacturing Operations Management: Versions 1812, 1909

Remediation

Install update from vendor's website.

References

• https://applied-risk.com/assets/uploads/whitepapers/AR2020002-ABB-800xA-MultipleVulnerabilities.pdf
• https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch
• https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch