SB2020060317 - XML injection in ABB Central Licensing System

Description

This security bulletin contains information about 1 security vulnerability.

1) XML injection (CVE-ID: CVE-2020-8475)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in the Central Licensing System. A remote unauthenticated attacker can send a specially crafted request containing malformed XML and cause a denial of service condition on the target system.

This vulnerability affects the following ABB CLS products:

• ABB Ability System 800xA and related system extensions: Versions 5.1, 6.0, 6.1
• Compact HMI: Versions 5.1, 6.0
• Control Builder Safe: Versions 1.0, 1.1, 2.0
• ABB Ability Symphony Plus – S+ Operations: Versions 3.0 to 3.2
• ABB Ability Symphony Plus – S+ Engineering: Versions 1.1 to 2.2
• Composer Harmony: Versions 5.1, 6.0, 6.1
• Composer Melody (incl. SPE for Melody 1.0 SPx): Versions 5.3, 6.1, 6.2, 6.3
• Harmony OPC Server (HAOPC): Standalone Versions 6.0, 6.1, 7.0
• ABB Ability System 800xA / Advant OCS Control Builder A: Versions 1.3, 1.4
• Advant OCS AC 100 OPC Server: Versions 5.1, 6.0, 6.1
• Composer CTK: Versions 6.1, 6.2
• AdvaBuild: Versions 3.7 SP1, 3.7 SP2
• OPC Server MOD 300 (non-800xA): Version 1.4
• OPC Data Link: Versions 2.1, 2.2
• ABB Ability Knowledge Manager: Versions 8.0, 9.0, 9.1
• ABB Ability Manufacturing Operations Management: Versions 1812, 1909

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://applied-risk.com/assets/uploads/whitepapers/AR2020002-ABB-800xA-MultipleVulnerabilities.pdf
• https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch
• https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch