CVE-2020-11639

Insufficient access control on Inter process communication,

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An attacker could exploit the vulnerability by
injecting garbage data or specially crafted data. Depending on the data injected each process might be
affected differently. The process could crash or cause communication issues on the affected node, effectively causing a denial-of-service attack. The attacker could tamper with the data transmitted, causing
the product to store wrong information or act on wrong data or display wrong information.

This issue affects Advant MOD 300 AdvaBuild: from 3.0 through 3.7 SP2.

For an attack to be successful, the attacker must have local access to a node in the system and be able to
start a specially crafted application that disrupts the communication.
An attacker who successfully exploited the vulnerability would be able to manipulate the data in such
way as allowing reads and writes to the controllers or cause Windows processes in 800xA for MOD 300
and AdvaBuild to crash.

Un atacante podría aprovechar la vulnerabilidad inyectando datos basura o datos especialmente manipulados. Dependiendo de los datos inyectados, cada proceso puede verse afectado de manera diferente. El proceso podría fallar o causar problemas de comunicación en el nodo afectado, provocando efectivamente un ataque de denegación de servicio. El atacante podría alterar los datos transmitidos, provocando que el producto almacene información incorrecta o actúe sobre datos incorrectos o muestre información incorrecta. Este problema afecta a Advant MOD 300 AdvaBuild: desde 3.0 hasta 3.7 SP2. Para que un ataque tenga éxito, el atacante debe tener acceso local a un nodo del sistema y poder iniciar una aplicación especialmente diseñada que interrumpa la comunicación. Un atacante que explotara con éxito la vulnerabilidad podría manipular los datos de tal manera que permitiera lecturas y escrituras en los controladores o provocar que los procesos de Windows en 800xA para MOD 300 y AdvaBuild fallaran.

*Credits: N/A

CVSS Scores

Asea Brown Boveri Ltd. (ABB)v3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2020-04-08 CVE Reserved
2024-07-23 CVE Published
2024-07-24 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CAPEC

References (1)

URL	Tag	Source
https://search.abb.com/library/Download.aspx?DocumentID=3BUA003421&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.200044199.882581162.1721753430-284724496.1718609177

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-