#VU26058 Authorization bypass through user-controlled key in Asset Suite - CVE-2019-18998

Cybersecurity Help s.r.o.

Published: 2020-03-13

Vulnerability identifier: #VU26058

Vulnerability risk: Medium

CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-18998

CWE-ID: N/A

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Asset Suite
Server applications / SCADA systems

Vendor: ABB

Description

The vulnerability allows a remote user to gain unauthorized access to sensitive information in the application.

The vulnerability exist due to improper access controls used to limit user access to resources. A remote user who knows or discovered the URL for a resource they do not have permissions to, they would be able to access the resource by browsing directly to the URL.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Asset Suite: 9.6

External links
https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch
https://www.us-cert.gov/ics/advisories/icsa-20-072-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in ABB Asset Suite