CVE-2020-24674

Improper Authorization in Symphony Plus

CVSS 8.8 HIGHEPSS 2.9%CWE-285

In short

Symphony Plus has a flaw where some commands don't properly check if users are allowed to run them. This means an authenticated user could perform actions they shouldn't have access to, like crashing the system or running malicious code.

Technical detail

CWE-285 improper authorization vulnerability in S+ Operations and S+ Historian allows authenticated but insufficiently-privileged users to bypass permission checks on certain client commands, enabling DoS attacks, arbitrary code execution, or privilege escalation via unvalidated command execution.

Summary generated and translated by AI from the official description.

In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

ABB · ABB Ability™ Symphony® Plus Historian ABB · ABB Ability™ Symphony® Plus Operations

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch