CVE-2021-22279 - OpenCVE

A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Abb	Omnicore C30 Firmware Omnicore C30

Configuration 1 [-]

AND

cpe:2.3:o:abb:omnicore_c30_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:abb:omnicore_c30:-:*:*:*:*:*:*:*

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ABB

Published: 2021-12-01T00:00:00

Updated: 2021-12-13T15:48:03

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22279

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-13T16:15:08.590

Modified: 2021-12-17T01:41:46.123

Link: CVE-2021-22279

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"containers": {"cna": {"affected": [{"product": "RobotWare", "vendor": "ABB", "versions": [{"lessThan": "7.3.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-12-01T00:00:00", "descriptions": [{"lang": "en", "value": "A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-13T15:48:03", "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCode=en&DocumentPartId=&Action=Launch"}], "solutions": [{"lang": "en", "value": "The problem is corrected in RobotWare version 7.3.2.\nABB recommends that customers apply the update at earliest convenience. The update is available for download from RobotStudio.\n"}], "source": {"discovery": "UNKNOWN"}, "title": "OmniCore RobotWare Missing Authentication Vulnerability", "workarounds": [{"lang": "en", "value": "ABB has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors:\n\u2022 Do not use Connected Services Ethernet port connection until the update has been applied, or\n\u2022 Protect Connected Services Gateway Ethernet port with a firewall, which prevents inbound connections."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@ch.abb.com", "DATE_PUBLIC": "2021-12-01T07:48:00.000Z", "ID": "CVE-2021-22279", "STATE": "PUBLIC", "TITLE": "OmniCore RobotWare Missing Authentication Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RobotWare", "version": {"version_data": [{"version_affected": "<", "version_value": "7.3.2"}]}}]}, "vendor_name": "ABB"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306 Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "solution": [{"lang": "en", "value": "The problem is corrected in RobotWare version 7.3.2.\nABB recommends that customers apply the update at earliest convenience. The update is available for download from RobotStudio.\n"}], "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "ABB has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors:\n\u2022 Do not use Connected Services Ethernet port connection until the update has been applied, or\n\u2022 Protect Connected Services Gateway Ethernet port with a firewall, which prevents inbound connections."}]}}}, "cveMetadata": {"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "assignerShortName": "ABB", "cveId": "CVE-2021-22279", "datePublished": "2021-12-01T00:00:00", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2021-12-13T15:48:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:abb:omnicore_c30_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FCE8FA4-E440-4054-AC08-026C8330C5EB", "versionEndExcluding": "7.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:abb:omnicore_c30:-:*:*:*:*:*:*:*", "matchCriteriaId": "74FC3FD0-0A15-4013-B235-123088834F4F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port."}, {"lang": "es", "value": "Una vulnerabilidad de falta de autenticaci\u00f3n en RobotWare para el controlador de robot OmniCore permite a un atacante leer y modificar archivos en el controlador de robot si el atacante presenta acceso al puerto Ethernet de Connected Services Gateway"}], "id": "CVE-2021-22279", "lastModified": "2021-12-17T01:41:46.123", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2021-12-13T16:15:08.590", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=SI20265&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}