ABB 800xA Multiple Vulnerabilities - Applied Risk

ABB 800xA Multiple Vulnerabilities Author: William Knowles

Release Date: 20 April 2020

AR2020002 Industrial Security Advisory

Overview Multiple vulnerabilities were identified within ABB 800xA and related products, which could allow

an attacker to achieve damaging effects, including obtaining remote access to 800xA hosts, escalating privileges on them, or causing denial-of-service conditions.

Affected products The following versions were affected:

• 800xA Base all versions.

• OPC Server for AC 800M all versions.

• MMS Server for AC 800M all versions.

• Base Software for SoftControl all versions.

• 800xA for DCI all versions.

• 800xA for MOD 300 all versions.

• 800xA RNRP all versions.

• 800xA Batch Management all versions.

• 800xA Information Management all versions.

• Control Builder M Professional version 6.1 and earlier.

• Control Builder Safe versions 1.0, 1.1 and 2.0.

• Compact HMI versions 5.1 and 6.0.

Impact An attacker could leverage the identified vulnerabilities to achieve the following objectives:

• Remotely compromise hosts. • Remotely and locally cause denial-of-service conditions. • Locally elevate privileges using multiple approaches.

Background ABB 800xA is a Distributed Control System (DCS) software, widely used across multiple industry sectors.

Vulnerability details Remote Code Execution

The Information Manager was found to be affected by a vulnerability that would allow an attacker to obtain remote code execution. This vulnerability requires luring a user (on a host

with a vulnerable Information Manager installation) to access a malicious website (e.g., on the local network), which then instructs the user’s browser to load the vulnerable component, before

passing it malicious input.

Applied Risk has calculated a CVSSv3 score of 8.8 for this vulnerability. The CVSS vector

string is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

The following CVE was assigned for this vulnerability:

• CVE-2020-8477 – Affecting System 800xA and Information Manager (product issue number 800xAINM-OL-5101-016).

Privilege Escalation Through Weak Kernel Object Permissions

Multiple products were affected by a vulnerability that would allow an authenticated, but unprivileged user, to modify certain memory locations of privileged processes. An attacker could

cause denial-of-service conditions by corrupting these memory locations, and potentially leverage them for privilege escalation depending on how those memory locations were used.


string is AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

The following CVEs were assigned for this vulnerability:

• CVE-2020-8478 – Affecting OPC Server for AC800M, MMS Server for AC 800M, Base Software for SoftControl (product issue number 800xACON-OL-5020-00164).

• CVE-2020-8484 – Affecting 800xA for DCI (product issue number 800xADCI-OL-6100-007).

• CVE-2020-8485 – Affecting 800xA for MOD 300 (product issue number 800xAMOD-OL-6100-007).

• CVE-2020-8486 – Affecting 800xA RNRP (product issue number 800xARNR-OL-3110-00001).

• CVE-2020-8487 – Affecting System 800xA Base (product issue number 800xASYS-OL-5120-00213).

• CVE-2020-8488 – Affecting 800xA Batch Management (product issue number

800xAPMB-OL-6030-035).

• CVE-2020-8489 – Affecting 800xA Information Management (800xAINM-OL-6030-002).

Privilege Escalation Through Weak File Permissions

Multiple products were affected by a vulnerability that would allow an authenticated, but

unprivileged user, to modify the system-wide configuration due to weak file permissions. An attacker could leverage these weak permissions to escalate their privileges, or generate denial-

of-service effects through file deletion or modification.

Applied Risk has calculated a CVSSv3 score of 7.8 for this vulnerability. The CVSS vector string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

The following CVEs were assigned for this vulnerability:

• CVE-020-8472 – Affecting OPC Server for AC 800M, Control Builder M Professional, MMS Server for AC 800M, Base Software for SoftControl (product issue number

800xACON-MS-4100-001).

• CVE-2020-8473 – Affecting System 800xA Base (product issue numbers 800xASYS-OL-5120-00195 and 800xASYS-OL-5120-00196).

• CVE-2020-8471 – Affecting System 800xA version 5.1, Compact HMI version 5.1, and Control Builder Safe versions 1.0 and 1.1 (product issue number 800xASRV-OL-5100-014).

Privilege Escalation Through Weak Registry Key Permissions

Multiple products were affected by a vulnerability that would allow an authenticated, but unprivileged user, to modify the system-wide configuration, which would lead to the arbitrary

loading and execution of a DLL when certain ABB programs are opened. This execution would

occur under the privileges of the user running the software, such as other users on the system, and therefore, could be used for privilege escalation.


string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.


• CVE-2020-8474 – Affecting System 800xA Base (product issue number 800xASYS-OL-5120-00197).

Denial-of-Service Through the Parsing of Malformed XML Syntax

The Central Licensing System used within multiple products contained a vulnerability that would result in a crash of the underlying service when a request containing malformed XML was

parsed. An attacker could potentially leverage this to impact operations.

Applied Risk has calculated a CVSSv3 score of 7.5 for this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.


• CVE-2020-8475 - Affecting System 800xA versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, and Control Builder Safe versions 1.0, 1.1, 2.0 (product issue

number 800xASRV-OL-5100-012).

XML External Entity Injection

The Central Licensing System used within multiple products contained a vulnerability that would allow an attacker to provide a malicious XML document which could lead to the ability to read

arbitrary files on the license server from a network perspective, and could also be used to block

license handling.

Applied Risk has calculated a CVSSv3 score of 8.2 for this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L.


• CVE-2020-8479 – Affecting System 800xA versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, and Control Builder Safe Versions 1.0, 1.1, 2.0 (product issue number 800xASRV-OL-5100-011).

Sensitive Information in Log Files

The Central Licensing System used within multiple products contained a vulnerability that

exposed sensitive material within log files, which could be used to obtain full administrative control of the host.

Applied Risk has calculated a CVSSv3 score of 7 for this vulnerability. The CVSS vector string is: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.


• CVE-2020-8481 - Affecting System 800xA version 5.1 (product issue number

800xASRV-IN-5100-001).

License Server Exposed Remotely Without Authentication

The Central Licensing System used within multiple products was found to be exposed on the

public interface of a system by default, and required no authentication. An attacker could potentially leverage this to impact operations, such as through modifying license assignments.


string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.


• CVE-2020-8476 - Affecting System 800xA versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, and Control Builder Safe Versions 1.0, 1.1, 2.0 (product issue

number 800xASRV-OL-5100-013).

Mitigation Due to the wide-ranging number of products affected Applied Risk recommend that the official ABB guidance is consulted for remediation actions. References to this guidance is provided in

the following section. Note, however, that in some cases, these vulnerabilities do not have

patches available at the time of publication (e.g., for kernel object permissions). In these cases, remediation must occur through a wider defense-in-depth strategy.

References Vendor website: https://new.abb.com/

Product page: https://new.abb.com/control-systems/system-800xa

Vendor advisories and remediation guidance:

• CVE-2020-8477: https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&LanguageCo

de=en&DocumentPartId=&Action=Launch

• CVE-2020-8478, CVE-2020-8484, CVE-2020-8485, CVE-2020-8486, CVE-2020-8487, CVE-2020-8488, CVE-2020-8489:

https://library.e.abb.com/public/b042856c10d24dd3b6c8e32d47b11669/2PAA121236_A_en_SECURITY%20Inter%20process%20communication%20vulnerability%20in%20Sys

tem%20800xA.pdf

• CVE-2020-8481, CVE-2020-8479, CVE-2020-8475, CVE-2020-8476, CVE-2020-8471: https://library.e.abb.com/public/bda2d3f8182c4eec9d7fe827530d5017/2PAA121230_A_en_SECURITY%20ABB%20Central%20Licensing%20System%20Vulnerabilities,%20im

pact%20on%20System%20800xA,%20Compact%20HMI%20and%20Control%20Builder%20Safe.pdf and

https://library.e.abb.com/public/14fded51ac87463fa912995e8107b4aa/2PAA121231_A_en_SECURITY%20Multiple%20Vulnerabilities%20in%20ABB%20Central%20Licensing

%20System.pdf

• CVE-2020-8474: https://library.e.abb.com/public/98366714fa934af38147494eb5e548fd/2PAA121221_B_en_SECURITY%20System%20800xA%20Weak%20Registry%20Permissions.pdf

• CVE-2020-8472, CVE-2020-8473: https://library.e.abb.com/public/70bc72e69d0a4f898c0313d011c5376e/2PAA121106_A_en_SECURITY%20System%20800xA%20Weak%20File%20Permissions.pdf?x-

sign=70SsmbC4AVdrmL3EBGiHkedv4nuZ89cGYMyRWppobroHbXAgtsCiiRGSUo9uTC

VR

Contact details

For any questions related to this report, please contact Applied Risk Research team at:

Email: [email protected]

PGP Public Key:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF60 58BEAC7QCOrYGBb cxL6 uG8IViZUIbBhTZaMHgWVniCk6iKCQlkXMu IX12bVAoCfp1 XbIZAZaXo5GrlK2yGtgyd11lQKHYx0TxnX52eKkmsW/fRzgNg/M YXtNb7UDB6IqAPAASwdME5ljfvkhVRhuVbvp//W8dJlJntbXf1kNKzaRdNbj7js5 c9TdSplYepTUkoICPLXC5Ewdzt0keG65Wh5Ia5dApUOzeHOXy61mUUxp2gutg2tb KAr oT2s5Lg9Drte1YVvuVrCdx9qQVkG DS5 YA7NCK7R30okNFyQjv0njP1o52X VxODdQDN0N7fbi3PxY3jf2rR aFK8HDTlEWLwzxF4IsSUyBi8Ay lRgiqdrpJZUp qZp/PsF5IotGFlAkQ5uGRaXQiSIZimt41EqmERBF8kI5eGfr0 fxNz381fo 49tT nHbg83b3uO3b CMxbnETwCqz28gW7 T/luC sPrXEWf0xTkCxx6s/eKx8c5CeNU4 naW3K26BqxxnZx8ivnR4K26s49t22qN6ytVa97AKn4lWUhylZLpuPnyny8BxgdLq WisfHPkCMqAqd3aFFl7ojec5C6vo2itjQndu1t9WvxHBYPhdfCsFzaskwC785l8G 2ODFPtB/qqgRGHi7oasTWTMZqiBCDnHFHI0pBcE6V2vhsROOQ9a7fVslnwARAQAB tDZBcHBsaWVkIFJpc2sgUmVzZWFyY2ggVGVhbSA8cmVzZWFyY2hAYXBwbGllZC1y aXNrLmNvbT6JAlQEEwEIAD4WIQTjnAO548Ik5yBy0GjU5ufLpgaBRAUCXrT7nwIb AwUJB4YfgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDU5ufLpgaBRPGSD/sF KZX1ORVEAtDAf40O PACb4sx7PB 9gy JPxYzSIg1uux1icVyWLtNMxkOmlPWRGm fQJgl0Xu38p9 1QILX9qnzw4Av9GsjRjKIOVY9z8J/vhZUy15WkHa3 vMjNHOaW3 s9NAr HCBnHAxPDWSyRpdqKwvOrrAHN6PI5vZl/Y7YR3dMtZcjHNPEgrN0hBnzK1 p4w85XPCzp1MNSQZAetQ/qrosAuX236ZzO0MCvoIank0p2ecukWDFiyqk3tKA3Nj LjGK9K/Ek7Mfn693EsHg6I/K5lLwxXaUvhEFUBT0P0zvCiKH GKCi6atE 4S3QfN wVBXM2XXT0K8BMQBEizkjOhrHPtE/x8IKsao Qd/IqT8/hiPEoH7Sq5D3tDXK5wt GmYX2yDTBHImdJQXS4c5u1mYsfaiAFrAfK6MwjutRPdBjl1m4UQyFwyYISdNpTRn Hv2j9chhNS4 eMah0a0huZK/sjuQx6WUqGKVvcbpgT1RfioREXwr6MXclOZ3T z0 c2yisOrDeEMPC61Gqx9Es0SABiTT838mDVZ7ZxtxzvvITWaNVEfSlFYG6Dg3hv3j IFeKb2O7kGpH8Qx9wRTjE8ce1e4LWAfbV2AyfESUCfGTl3NAxYADwQ6C4c0bhcMK S8fZ bEo5TMnLnWeXz2Jy1IY 2h3nKSwBVjV lbAaLkCDQRetPufARAAy3F4JnkE T36/ntHR /7Eml1qZxKse9lnsecd7uUtMIauU1DDVbSqMTW738GmNwlzbLTTp5yU 0C7X4ChwubVupX8B5Lu3PcAX3u9I/nk77j Vi2 5zU4QWXaD1nq1Htzos866HHzl L79dRawp0bgYD8QVPDRD8nW4yXnYQ/TNeLlKV8GGHN5sSh4jdvWRe S1ShKD5JaK 8EAJm7zdG1RphckrpgGzYOAKIBh2hTirnPH2VPYZxxGjPh0q16DWkUWE0YG8RD9l 99PNvx9FuPZ8SSRKGlxbbzldtr6XrTKfORi1iKAip3scNiahF4AMcJYWjOVetRbN eJUwCmCWzwOnHyKGuFn3GTPgjS17wAk1ZTtRx4aaBjvy37sxTtmAzgcnfP27JEtN VQTBVKmIoICwXW2QnXLM/gsZzyeKd4mPUJHl2xmDc u2IklMycUNaFszahCszMXD eGFnEmdZBxQkg7Ftxsqa1 Yn2IV PUoZm6uKGdRKokx7c98xnYEDVEiLLa5zCfF pdYFrXw0XSppgNocT36V01f6e7KlNbTMfeFMBbjcWtX6dtckFtyhDWg871jLFEQX 3liZmAcyn6pKJYdSgsgcy2vtI4rvDOZlxPGYtJ/gG/mlAOW45AHDnAKIcUnebmM4 W146XUc1KS0MtZRiubjsQHuh sMQrjfaj2cAEQEAAYkCPAQYAQgAJhYhBOOcA7nj wiTnIHLQaNTm58umBoFEBQJetPufAhsMBQkHhh AAAoJENTm58umBoFE2oIP/2cC quMsxrnuVrBEBe Xn6c6LtX/QGhIIY 3n4mIav7mBFJgM/U 5Qzzr9Gq3G3u8nJI

cobx6wjayll00UJJ5OMgBK8/WrJX6M6vxZDe4UOn5SUJ0XSxGcqmK0aVpLq3gtuT QHco RqixB4Sa4Q97xY0YY24boYY3Ff35tfmIbxzIWsUnhTodUxPaxGH9z1etZXb S/k9d9IfvDk4ef/uUS ICFsCAgrQJU82OZC/SN3RUnCPqu0Y3Ws6NP9qox9hdHl/ ID/ShqwBqpBQigOEQY/kiTZZoizQ9lD561ycr5e8X0CWLHdV7PKawt86PD2Kt70g PNKt65G9reYUArob1nk P4fSuPkZUAW2OUyTCaJsenNfsfyj5LH/Xt98CucB3VtX g1AZf8sIypymLeI08EppN 8XXO29MaaDAH/VH9KlM9XenYZToBNL03r2OuRx5 W M74IQ4IrzrfO523f quzPNZRwGYAtM8vz6AyMPAs4TJI2NBSLuMcsEWC63BogUdn eOb7JvoJRQddKhLcxEKO/mzoR2U/BcGlmT RoN0l4UUNvl8ED0uoKo1lId3hOq3A 1EPlVaptdeTqtm0r7c4Ppf22keOxd/2fZpJYAvdj2H 0s GDqWdErpZPT37QNvzU U9bSu1uC/ByQhMhi3b8KWx2c37Hq9DCDK8pyQxSQ =f5ps -----END PGP PUBLIC KEY BLOCK-----

ABB 800xA Multiple Vulnerabilities - Applied Risk

Documents

Transcript of ABB 800xA Multiple Vulnerabilities - Applied Risk