CVE-2020-24681 - OpenCVE

Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Br-automation	Automation Studio

Configuration 1 [-]

AND

OR	cpe:2.3:a:br-automation:automation_studio::::::::
	cpe:2.3:a:br-automation:automation_studio::::::::
	cpe:2.3:a:br-automation:automation_studio::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ABB

Published: 2024-02-02T06:58:24.173Z

Updated: 2024-02-02T06:58:24.173Z

Reserved: 2020-08-26T00:00:00.000Z

Link: CVE-2020-24681

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-02-02T07:15:07.333

Modified: 2024-02-10T04:05:04.527

Link: CVE-2020-24681

JSON object: View

Redhat Information

No data.

CWE

CWE-732

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2020-24681", "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "state": "PUBLISHED", "assignerShortName": "ABB", "dateReserved": "2020-08-26T00:00:00.000Z", "datePublished": "2024-02-02T06:58:24.173Z", "dateUpdated": "2024-02-02T06:58:24.173Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Automation Studio", "vendor": "B&R Industrial Automation", "versions": [{"lessThanOrEqual": "4.6.x", "status": "affected", "version": "4.6.0", "versionType": "custom"}, {"lessThan": "4.7.7 SP", "status": "affected", "version": "4.7.0", "versionType": "custom"}, {"lessThan": "4.8.6 SP", "status": "affected", "version": "4.8.0", "versionType": "custom"}, {"lessThan": "4.9.4 SP", "status": "affected", "version": "4.9.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "NET/PVI", "vendor": "B&R Industrial Automation", "versions": [{"lessThanOrEqual": "4.6.x", "status": "affected", "version": "4.6.0", "versionType": "custom"}, {"lessThan": "4.7.7", "status": "affected", "version": "4.7.0", "versionType": "custom"}, {"lessThan": "4.8.6", "status": "affected", "version": "4.8.0", "versionType": "custom"}, {"lessThan": "4.9.4", "status": "affected", "version": "4.9.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "B&R would like to thank the following for working with us to help protect our customers: Mr. Andrew Hofmans"}], "datePublic": "2021-11-29T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.<p>This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.</p>"}], "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB", "dateUpdated": "2024-02-02T06:58:24.173Z"}, "references": [{"url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf"}], "source": {"discovery": "UNKNOWN"}, "title": "Automation Studio and PVI Multiple incorrect permission assignments for services", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nB&R has identified the following specific workarounds and mitigations.\nUsers of B&R Automation Studio and PVI may manually reconfigure permission settings on these \nservices to allow modification only for privileged users.\nAdditionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI \nto authorized users.\n\n\n<br>"}], "value": "\nB&R has identified the following specific workarounds and mitigations.\nUsers of B&R Automation Studio and PVI may manually reconfigure permission settings on these \nservices to allow modification only for privileged users.\nAdditionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI \nto authorized users.\n\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "96888691-48DD-4173-B526-A325B8433F1B", "versionEndExcluding": "4.7.7.74", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "04F8420B-E58C-4C17-B47B-15356571E650", "versionEndExcluding": "4.8.6.30", "versionStartIncluding": "4.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "0515B5D7-8B71-4D6E-B0E1-4E61B930A54E", "versionEndExcluding": "4.9.4.92", "versionStartIncluding": "4.9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.\n\n"}, {"lang": "es", "value": "La asignaci\u00f3n de permisos incorrecta para la vulnerabilidad de recursos cr\u00edticos en B&R Industrial Automation Automation Studio permite la escalada de privilegios. Este problema afecta a Automation Studio: desde 4.6.0 hasta 4.6.X, desde 4.7.0 antes de 4.7.7 SP, desde 4.8.0 antes de 4.8.6 SP, desde 4.9.0 anterior a 4.9.4 SP."}], "id": "CVE-2020-24681", "lastModified": "2024-02-10T04:05:04.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2024-02-02T07:15:07.333", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "cybersecurity@ch.abb.com", "type": "Primary"}]}