Information disclosure in ABB Central Licensing System



Published: 2020-06-03
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-8481
CWE-ID CWE-200
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		ABB Central Licensing System (CLS)
Server applications / Other server solutions

Vendor ABB

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU27364

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8481

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to and error in the Central Licensing System. A local user can gain unauthorized access to sensitive material within log files, which could be used to obtain full administrative control of the host.

This vulnerability affects the following ABB CLS products:

  • ABB Ability System 800xA and related system extensions: Versions 5.1, 6.0, 6.1
  • Compact HMI: Versions 5.1, 6.0
  • Control Builder Safe: Versions 1.0, 1.1, 2.0
  • ABB Ability Symphony Plus – S+ Operations: Versions 3.0 to 3.2
  • ABB Ability Symphony Plus – S+ Engineering: Versions 1.1 to 2.2
  • Composer Harmony: Versions 5.1, 6.0, 6.1
  • Composer Melody (incl. SPE for Melody 1.0 SPx): Versions 5.3, 6.1, 6.2, 6.3
  • Harmony OPC Server (HAOPC): Standalone Versions 6.0, 6.1, 7.0
  • ABB Ability System 800xA / Advant OCS Control Builder A: Versions 1.3, 1.4
  • Advant OCS AC 100 OPC Server: Versions 5.1, 6.0, 6.1
  • Composer CTK: Versions 6.1, 6.2
  • AdvaBuild: Versions 3.7 SP1, 3.7 SP2
  • OPC Server MOD 300 (non-800xA): Version 1.4
  • OPC Data Link: Versions 2.1, 2.2
  • ABB Ability Knowledge Manager: Versions 8.0, 9.0, 9.1
  • ABB Ability Manufacturing Operations Management: Versions 1812, 1909

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ABB Central Licensing System (CLS): before 5.1.0.38

External links

http://applied-risk.com/assets/uploads/whitepapers/AR2020002-ABB-800xA-MultipleVulnerabilities.pdf
http://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch
http://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###