Details of VAR-202012-0321

ID

VAR-202012-0321

CVE

CVE-2020-24676

TITLE

Symphony Plus Operations and Symphony Plus Historian Vulnerability in privilege management

Trust: 0.8

sources: JVNDB: JVNDB-2020-014751

DESCRIPTION

In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as. ABB Symphony Plus Operations is a management device used in industrial environments to improve operational efficiency. The device provides an easy-to-use human-machine interface, seamlessly integrates all plant equipment and subsystems using industry-standard protocols and technologies, and provides functions such as alarm management, process optimization, and more. ABB Symphony Plus Historian is a device for visually viewing and managing historical information of industrial equipment

Trust: 1.71

sources: NVD: CVE-2020-24676 // JVNDB: JVNDB-2020-014751 // VULHUB: VHN-178578

AFFECTED PRODUCTS

vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	2.0	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.0	Trust: 1.0
vendor:	abb	model:	symphony \+ historian	scope:	eq	version:	3.1	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	2.1	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.3	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	1.1	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.2	Trust: 1.0
vendor:	abb	model:	symphony \+ historian	scope:	eq	version:	3.0	Trust: 1.0
vendor:	abb	model:	symphony \+ operations	scope:	eq	version:	3.1	Trust: 1.0
vendor:	abb	model:	symphony plus historian	scope:	-	version:	-	Trust: 0.8
vendor:	abb	model:	symphony plus operations	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-014751 // NVD: CVE-2020-24676

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24676
value:	HIGH
Trust: 1.0
cybersecurity@ch.abb.com:	CVE-2020-24676
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-24676
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202012-1465
value:	HIGH
Trust: 0.6
VULHUB:	VHN-178578
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-24676
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-178578
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24676
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2020-014751
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-178578 // JVNDB: JVNDB-2020-014751 // CNNVD: CNNVD-202012-1465 // NVD: CVE-2020-24676 // NVD: CVE-2020-24676

PROBLEMTYPE DATA

problemtype:	CWE-274	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [NVD Evaluation ]	Trust: 0.8
problemtype:	CWE-269	Trust: 0.1

sources: VULHUB: VHN-178578 // JVNDB: JVNDB-2020-014751 // NVD: CVE-2020-24676

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202012-1465

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202012-1465

PATCH

title:	Vulnerability ID	url:	https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch	Trust: 0.8
title:	ABB Symphony Plus Operations and ABB Symphony Plus Historian Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137993	Trust: 0.6

sources: JVNDB: JVNDB-2020-014751 // CNNVD: CNNVD-202012-1465

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24676	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-014751	Trust: 0.8
db:	CNNVD	id:	CNNVD-202012-1465	Trust: 0.7
db:	VULHUB	id:	VHN-178578	Trust: 0.1

sources: VULHUB: VHN-178578 // JVNDB: JVNDB-2020-014751 // CNNVD: CNNVD-202012-1465 // NVD: CVE-2020-24676

REFERENCES

url:	https://search.abb.com/library/download.aspx?documentid=2paa123980&languagecode=en&documentpartid=&action=launch	Trust: 1.6
url:	https://search.abb.com/library/download.aspx?documentid=2paa123982&languagecode=en&documentpartid=&action=launch	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24676	Trust: 1.4
url:	https://search.abb.com/library/download.aspx?documentid=2paa123980&languagecode=en&documentpartid=&action=launch	Trust: 0.1
url:	https://search.abb.com/library/download.aspx?documentid=2paa123982&languagecode=en&documentpartid=&action=launch	Trust: 0.1

sources: VULHUB: VHN-178578 // JVNDB: JVNDB-2020-014751 // CNNVD: CNNVD-202012-1465 // NVD: CVE-2020-24676

SOURCES

db:	VULHUB	id:	VHN-178578
db:	JVNDB	id:	JVNDB-2020-014751
db:	CNNVD	id:	CNNVD-202012-1465
db:	NVD	id:	CVE-2020-24676

LAST UPDATE DATE

2024-11-23T22:29:22.238000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178578	date:	2021-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2020-014751	date:	2021-08-30T08:30:00
db:	CNNVD	id:	CNNVD-202012-1465	date:	2021-09-15T00:00:00
db:	NVD	id:	CVE-2020-24676	date:	2024-11-21T05:15:42.043

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178578	date:	2020-12-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-014751	date:	2021-08-30T00:00:00
db:	CNNVD	id:	CNNVD-202012-1465	date:	2020-12-22T00:00:00
db:	NVD	id:	CVE-2020-24676	date:	2020-12-22T22:15:13.333