CVE-2020-8478 - OpenCVE

Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Abb	Base Software Ac800m Opc Server Mms Server

Configuration 1 [-]

AND

OR	cpe:2.3:a:abb:mms_server::::::::
	cpe:2.3:a:abb:opc_server::::::::

cpe:2.3:h:abb:ac800m:-:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:abb:base_software:*:*:*:*:*:softcontrol:*:*

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ABB

Published: 2020-04-29T01:58:54

Updated: 2020-04-29T01:58:54

Reserved: 2020-01-30T00:00:00

Link: CVE-2020-8478

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-29T02:15:11.763

Modified: 2020-05-13T18:48:00.137

Link: CVE-2020-8478

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "OPC Server for AC 800M", "vendor": "ABB", "versions": [{"status": "affected", "version": "all versions"}]}, {"product": "MMS Server for AC 800M", "vendor": "ABB", "versions": [{"status": "affected", "version": "all versions"}]}, {"product": "Base Software for SoftControl", "vendor": "ABB", "versions": [{"status": "affected", "version": "all versions"}]}], "descriptions": [{"lang": "en", "value": "Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-264", "description": "CWE-264 Permissions, Privileges, and Access Controls", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-29T01:58:54", "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch"}], "source": {"discovery": "UNKNOWN"}, "title": "ABB System 800xA Inter process communication vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@ch.abb.com", "ID": "CVE-2020-8478", "STATE": "PUBLIC", "TITLE": "ABB System 800xA Inter process communication vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OPC Server for AC 800M", "version": {"version_data": [{"version_affected": "undefined", "version_value": "all versions"}]}}, {"product_name": "MMS Server for AC 800M", "version": {"version_data": [{"version_affected": "undefined", "version_value": "all versions"}]}}, {"product_name": "Base Software for SoftControl", "version": {"version_data": [{"version_affected": "undefined", "version_value": "all versions"}]}}]}, "vendor_name": "ABB"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-264 Permissions, Privileges, and Access Controls"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "CONFIRM", "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "assignerShortName": "ABB", "cveId": "CVE-2020-8478", "datePublished": "2020-04-29T01:58:54", "dateReserved": "2020-01-30T00:00:00", "dateUpdated": "2020-04-29T01:58:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:mms_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "296927D5-AF68-488F-A606-818ACD253B75", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:opc_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9BF1B4E-225B-4A2C-A5EB-996A6CCA1F79", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:abb:ac800m:-:*:*:*:*:*:*:*", "matchCriteriaId": "18F5825D-A99A-4109-A08F-114C7D6D3FC3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:base_software:*:*:*:*:*:softcontrol:*:*", "matchCriteriaId": "D30E09D7-4C4D-459F-95DC-3B9FA341E5A4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder."}, {"lang": "es", "value": "Una protecci\u00f3n insuficiente de las funciones de comunicaci\u00f3n entre procesos en los productos OPC Server para AC 800M, MMS Server para AC 800M y Base Software para SoftControl (todas las versiones publicadas) de ABB System 800xA, permite a un atacante autenticado en el sistema local inyectar datos, afectando la visualizaci\u00f3n en l\u00ednea de los datos del tiempo de ejecuci\u00f3n que se muestran en Control Builder."}], "id": "CVE-2020-8478", "lastModified": "2020-05-13T18:48:00.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2020-04-29T02:15:11.763", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-264"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}