CVE-2020-8471

Name of the Vulnerable Software and Affected Versions ABB Ability System 800xA versions 5.1 through 6.1 Compact HMI versions 5.1 through 6.0 Control Builder Safe versions 1.0 through 2.0 Symphony Plus -S+ Operations versions 3.0 through 3.2 Symphony Plus -S+ Engineering versions 1.1 through 2.2 Composer Harmony versions 5.1 through 6.1 Melody Composer versions 5.3, 6.1/6.2 SPE for Melody version 1.0SPx Harmony OPC Server (HAOPC) Standalone versions 6.0 through 7.0 ABB Ability System 800xA/ Advant OCS Control Builder A versions 1.3 through 1.4 Advant OCS AC100 OPC Server versions 5.1 through 6.1 Composer CTK versions 6.1 through 6.2 AdvaBuild versions 3.7 SP1 through 3.7 SP2 OPCServer for MOD 300 (non-800xA) version 1.4 OPC Data Link versions 2.1 through 2.2 Knowledge Manager versions 8.0 through 9.1 Manufacturing Operations Management versions 1812 through 1909

Description Weak file permissions in the Central Licensing Server component allow an authenticated attacker to block license handling, escalate privileges, and execute arbitrary code.

Recommendations For ABB Ability System 800xA versions 5.1 through 6.1, update the Central Licensing Server component to a version with proper file permissions. For Compact HMI versions 5.1 through 6.0, restrict access to the Central Licensing Server component until a patch is available. For Control Builder Safe versions 1.0 through 2.0, consider disabling the license handling functionality as a temporary workaround. For Symphony Plus -S+ Operations versions 3.0 through 3.2, apply configuration changes to limit the privileges of authenticated attackers. For Symphony Plus -S+ Engineering versions 1.1 through 2.2, avoid using the vulnerable Central Licensing Server component until a fix is available. For Composer Harmony versions 5.1 through 6.1, update the Harmony OPC Server (HAOPC) Standalone to a version with proper file permissions. For Melody Composer versions 5.3, 6.1/6.2, restrict access to the SPE for Melody component. For SPE for Melody version 1.0SPx, consider disabling the license handling functionality as a temporary workaround. For Harmony OPC Server (HAOPC) Standalone versions 6.0 through 7.0, update the Central Licensing Server component to a version with proper file permissions. For ABB Ability System 800xA/ Advant OCS Control Builder A versions 1.3 through 1.4, apply configuration changes to limit the privileges of authenticated attackers. For Advant OCS AC100 OPC Server versions 5.1 through 6.1, restrict access to the Central Licensing Server component until a patch is available. For Composer CTK versions 6.1 through 6.2, avoid using the vulnerable Central Licensing Server component until a fix is available. For AdvaBuild versions 3.7 SP1 through 3.7 SP2, consider disabling the license handling functionality as a temporary workaround. For OPCServer for MOD 300 (non-800xA) version 1.4, update the Central Licensing Server component to a version with proper file permissions. For OPC Data Link versions 2.1 through 2.2, apply configuration changes to limit the privileges of authenticated attackers. For Knowledge Manager versions 8.0 through 9.1, restrict access to the Central Licensing Server component until a patch is available. For Manufacturing Operations Management versions 1812 through 1909, avoid using the vulnerable Central Licensing Server component until a fix is available.