Vulnerability identifier: #VU61403

Vulnerability risk: Low

CVSSv3.1: 7.3 [CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22284

CWE-ID: CWE-250

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
OPC Server for AC 800M
Other software / Other software solutions
Control Builder Safe
Other software / Other software solutions
800xA Control Software for AC 800M
Other software / Other software solutions
Compact Product Suite - Control and I/O
Other software / Other software solutions

Vendor: ABB

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to application binary has a setuid bit. A remote user on the local network can run the affected binary and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OPC Server for AC 800M: 5.1.0-0 - 6.0.0-3

Control Builder Safe: 1.0 - 2.0

800xA Control Software for AC 800M: All versions

Compact Product Suite - Control and I/O: All versions

---

External links
http://search.abb.com/library/Download.aspx?DocumentID=7PAA000908&LanguageCode=en&DocumentPartId=&Action=Launch

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.