Sign-up

ID

VAR-202004-2158


CVE

CVE-2020-8476


TITLE

plural ABB Product input verification vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-005097

DESCRIPTION

For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5, a weakness in validation of input exists that allows an attacker to alter licenses assigned to the system nodes by sending specially crafted messages to the CLS web service. plural ABB The product contains an input verification vulnerability.Information may be tampered with. ABB Ability System 800xA and so on are the products of Swiss ABB (ABB) company. ABB Ability System 800xA is a distributed control system for industrial control industry. ABB Compact HMI is a monitoring and data acquisition system. ABB Control Builder Safe is an engineering tool for configuring and downloading the AC 800M High Integrity safety application. Central Licensing Server is one of the license servers. An input validation error vulnerability exists in the Central Licensing Server component of several ABB products. An attacker could exploit this vulnerability by sending a specially crafted message to modify the licenses assigned to a system node

Trust: 1.8

sources: NVD: CVE-2020-8476 // JVNDB: JVNDB-2020-005097 // VULHUB: VHN-186601 // VULMON: CVE-2020-8476

AFFECTED PRODUCTS

vendor:abbmodel:800xa systemscope:eqversion:5.1

Trust: 1.1

vendor:abbmodel:800xa systemscope:eqversion:6.0

Trust: 1.1

vendor:abbmodel:800xa systemscope:eqversion:6.0.1

Trust: 1.1

vendor:abbmodel:800xa systemscope:eqversion:6.0.3

Trust: 1.1

vendor:abbmodel:800xa systemscope:eqversion:6.0.3.3

Trust: 1.1

vendor:abbmodel:800xa systemscope:eqversion:6.1

Trust: 1.1

vendor:abbmodel:compact hmiscope:eqversion:5.1

Trust: 1.1

vendor:abbmodel:compact hmiscope:eqversion:6.0.1-1

Trust: 1.1

vendor:abbmodel:compact hmiscope:eqversion:6.0.3-2

Trust: 1.1

vendor:abbmodel:control builder safescope:eqversion:1.0

Trust: 1.1

vendor:abbmodel:control builder safescope:eqversion:1.1

Trust: 1.1

vendor:abbmodel:control builder safescope:eqversion:2.0

Trust: 1.1

vendor:abbmodel:compact hmiscope: - version: -

Trust: 0.8

vendor:abbmodel:control builder safescope: - version: -

Trust: 0.8

vendor:abbmodel:system 800xascope: - version: -

Trust: 0.8

sources: VULMON: CVE-2020-8476 // JVNDB: JVNDB-2020-005097 // NVD: CVE-2020-8476

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-8476
value: HIGH

Trust: 1.0

cybersecurity@ch.abb.com: CVE-2020-8476
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-005097
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202004-2366
value: HIGH

Trust: 0.6

VULHUB: VHN-186601
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-8476
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-8476
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-005097
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-186601
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-8476
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

cybersecurity@ch.abb.com: CVE-2020-8476
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-005097
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-186601 // VULMON: CVE-2020-8476 // JVNDB: JVNDB-2020-005097 // CNNVD: CNNVD-202004-2366 // NVD: CVE-2020-8476 // NVD: CVE-2020-8476

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-186601 // JVNDB: JVNDB-2020-005097 // NVD: CVE-2020-8476

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2366

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202004-2366

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005097

PATCH
title:SECURITY ABB Central Licensing System Vulnerabilities, impact on System 800xA, Compact HMI and Control Builder Safeurl:https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch
Trust: 0.8
title:SECURITY Multiple Vulnerabilities in ABB Central Licensing Systemurl:https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-005097

EXTERNAL IDS
db:NVDid:CVE-2020-8476
Trust: 2.6
db:ICS CERTid:ICSA-20-154-04
Trust: 1.4
db:JVNid:JVNVU94921886
Trust: 0.8
db:JVNDBid:JVNDB-2020-005097
Trust: 0.8
db:CNNVDid:CNNVD-202004-2366
Trust: 0.7
db:AUSCERTid:ESB-2020.1926
Trust: 0.6
db:VULHUBid:VHN-186601
Trust: 0.1
db:VULMONid:CVE-2020-8476
Trust: 0.1
sources:
            
            
            VULHUB: VHN-186601 // 
            
            
            
            VULMON: CVE-2020-8476 // 
            
            
            
            JVNDB: JVNDB-2020-005097 // 
            
            
            
            CNNVD: CNNVD-202004-2366 // 
            
            
            
            NVD: CVE-2020-8476

REFERENCES
url:https://search.abb.com/library/download.aspx?documentid=2paa121230&languagecode=en&documentpartid=&action=launch
Trust: 1.7
url:https://search.abb.com/library/download.aspx?documentid=2paa121231&languagecode=en&documentpartid=&action=launch
Trust: 1.7
url:https://search.abb.com/library/download.aspx?documentid=3cca2020-003309&languagecode=en&documentpartid=&action=launch
Trust: 1.6
url:https://www.us-cert.gov/ics/advisories/icsa-20-154-04
Trust: 1.4
url:https://nvd.nist.gov/vuln/detail/cve-2020-8476
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8476
Trust: 0.8
url:https://jvn.jp/vu/jvnvu94921886/index.html
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1926/
Trust: 0.6
url:https://search.abb.com/library/download.aspx?documentid=2paa121230&languagecode=en&documentpartid=&action=launch
Trust: 0.1
url:https://search.abb.com/library/download.aspx?documentid=2paa121231&languagecode=en&documentpartid=&action=launch
Trust: 0.1
url:https://search.abb.com/library/download.aspx?documentid=3cca2020-003309&languagecode=en&documentpartid=&action=launch
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/20.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-186601 // 
            
            
            
            VULMON: CVE-2020-8476 // 
            
            
            
            JVNDB: JVNDB-2020-005097 // 
            
            
            
            CNNVD: CNNVD-202004-2366 // 
            
            
            
            NVD: CVE-2020-8476

SOURCES
db:VULHUBid:VHN-186601
db:VULMONid:CVE-2020-8476
db:JVNDBid:JVNDB-2020-005097
db:CNNVDid:CNNVD-202004-2366
db:NVDid:CVE-2020-8476

LAST UPDATE DATE
2024-11-23T21:35:51.598000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-186601date:2022-10-28T00:00:00
db:VULMONid:CVE-2020-8476date:2020-06-09T00:00:00
db:JVNDBid:JVNDB-2020-005097date:2020-06-05T00:00:00
db:CNNVDid:CNNVD-202004-2366date:2022-10-31T00:00:00
db:NVDid:CVE-2020-8476date:2024-11-21T05:38:54.843

SOURCES RELEASE DATE
db:VULHUBid:VHN-186601date:2020-04-29T00:00:00
db:VULMONid:CVE-2020-8476date:2020-04-29T00:00:00
db:JVNDBid:JVNDB-2020-005097date:2020-06-05T00:00:00
db:CNNVDid:CNNVD-202004-2366date:2020-04-28T00:00:00
db:NVDid:CVE-2020-8476date:2020-04-29T02:15:11.687