CVE-2020-8479

Description

For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5. an XML External Entity Injection vulnerability exists that allows an attacker to read or call arbitrary files from the license server and/or from the network and also block the license handling.

CVSS breakdown

Affected products

• ABB / ABB Ability™ SCADAvantage5.1 – unspecified
• ABB / ABB Ability™ SCADAvantageunspecified – 5.6.5
• ABB / ABB Ability System 800xA5.1 – 5.1
• ABB / ABB Ability System 800xA6.0 – 6.0
• ABB / ABB Ability System 800xA6.1 – 6.1
• ABB / AdvaBuild3.7 SP2 – 3.7 SP2
• ABB / AdvaBuild3.7 SP1 – 3.7 SP1
• ABB / Advant OCS AC 100 OPS Server6.0 – 6.0
• ABB / Advant OCS AC 100 OPS Server5.1 – 5.1
• ABB / Advant OCS AC 100 OPS Server6.1 – 6.1
• ABB / Advant OCS Control Builder A1.3 – 1.3
• ABB / Advant OCS Control Builder A1.4 – 1.4
• ABB / Central Licensing System5.1 – 5*
• ABB / Compact HMI5.1 – 5.1
• ABB / Compact HMI6.0 – 6.0
• ABB / Composer CTK6.2 – 6.2
• ABB / Composer CTK6.1 – 6.1
• ABB / Composer Harmony6.0 – 6.0
• ABB / Composer Harmony6.1 – 6.1
• ABB / Composer Harmony5.1 – 5.1
• ABB / Composer Melody6 – 6.3
• ABB / Composer Melody5.3 – 5.3
• ABB / Control Builder Safe1.1 – 1.1
• ABB / Control Builder Safe2.0 – 2.0
• ABB / Control Builder Safe1.0 – 1.0
• ABB / Harmony OPC Server Standalone6.1 – 6.1
• ABB / Harmony OPC Server Standalone6.0 – 6.0
• ABB / Harmony OPC Server Standalone7.0 – 7.0
• ABB / Knowledge Manager9.0 – 9.0
• ABB / Knowledge Manager8.0 – 8.0
• ABB / Knowledge Manager9.1 – 9.1
• ABB / Manufacturing Operations Management1812 – 1812
• ABB / Manufacturing Operations Management1909 – 1909
• ABB / OPC Data Link2.2 – 2.2
• ABB / OPC Data Link2.1 – 2.1
• ABB / OPC Server for Mod 300 (non-800xA)1.4 – 1.4
• ABB / Symphony Plus S+ Engineering1.1 – 2.2
• ABB / Symphony Plus S+ Operations3 – 3.2

References

• MISChttps://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch
• MISChttps://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch
• MISChttps://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch