CVE-2020-8471

Description

For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, weak file permissions allow an authenticated attacker to block the license handling, escalate his/her privileges and execute arbitrary code.

CVSS breakdown

Affected products

• ABB / ABB Ability System 800xA6.1 – 6.1
• ABB / ABB Ability System 800xA5.1 – 5.1
• ABB / ABB Ability System 800xA6.0 – 6.0
• ABB / AdvaBuild3.7 SP1 – 3.7 SP1
• ABB / AdvaBuild3.7 SP2 – 3.7 SP2
• ABB / Advant OCS AC 100 OPS Server6.0 – 6.0
• ABB / Advant OCS AC 100 OPS Server5.1 – 5.1
• ABB / Advant OCS AC 100 OPS Server6.1 – 6.1
• ABB / Advant OCS Control Builder A1.4 – 1.4
• ABB / Advant OCS Control Builder A1.3 – 1.3
• ABB / Central Licensing System5.1 – 5*
• ABB / Compact HMI6.0 – 6.0
• ABB / Compact HMI5.1 – 5.1
• ABB / Composer CTK6.2 – 6.2
• ABB / Composer CTK6.1 – 6.1
• ABB / Composer Harmony5.1 – 5.1
• ABB / Composer Harmony6.0 – 6.0
• ABB / Composer Harmony6.1 – 6.1
• ABB / Composer Melody5.3 – 5.3
• ABB / Composer Melody6 – 6.3
• ABB / Control Builder Safe2.0 – 2.0
• ABB / Control Builder Safe1.1 – 1.1
• ABB / Control Builder Safe1.0 – 1.0
• ABB / Harmony OPC Server Standalone7.0 – 7.0
• ABB / Harmony OPC Server Standalone6.1 – 6.1
• ABB / Harmony OPC Server Standalone6.0 – 6.0
• ABB / Knowledge Manager8.0 – 8.0
• ABB / Knowledge Manager9.0 – 9.0
• ABB / Knowledge Manager9.1 – 9.1
• ABB / Manufacturing Operations Management1812 – 1812
• ABB / Manufacturing Operations Management1909 – 1909
• ABB / OPC Data Link2.1 – 2.1
• ABB / OPC Data Link2.2 – 2.2
• ABB / OPC Server for Mod 300 (non-800xA)1.4 – 1.4
• ABB / Symphony Plus S+ Engineering1.1 – 2.2
• ABB / Symphony Plus S+ Operations3 – 3.2

References

• MISChttps://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch
• MISChttps://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch
• VENDOR_ADVISORYhttps://www.us-cert.gov/ics/advisories/icsa-20-154-04