CVE-2024-0220

B&R products use insufficient communication encryption

Severity Score

8.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data.

B&R Automation Studio Upgrade Service y B&R Technology Guarding utilizan criptografía insuficiente para la comunicación con la actualización y los servidores de licencias. Un atacante basado en la red podría aprovechar la vulnerabilidad para ejecutar código arbitrario en los productos o rastrear datos confidenciales. Falta de cifrado de datos confidenciales, transmisión de texto plano de información confidencial, control inadecuado de la generación de código ("inyección de código"), vulnerabilidad de fuerza de cifrado inadecuada en B&R Industrial Automation B&R Automation Studio (módulos de servicio de actualización), B&R Industrial Automation Technology Guarding.Este problema afecta a B&R Automation Studio: <4,6; Protección de tecnología: <1.4.0.

*Credits: N/A

CVSS Scores

Asea Brown Boveri Ltd. (ABB)v3.1 8.3

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-03 CVE Reserved
2024-02-22 CVE Published
2024-02-23 EPSS Updated
2024-09-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-311: Missing Encryption of Sensitive Data
CWE-319: Cleartext Transmission of Sensitive Information
CWE-326: Inadequate Encryption Strength
CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation

CAPEC

References (1)

URL	Tag	Source
https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
B&R Industrial Automation Search vendor "B&R Industrial Automation"		Automation Studio Search vendor "B&R Industrial Automation" for product "Automation Studio"				>= 4.0 < 4.6 Search vendor "B&R Industrial Automation" for product "Automation Studio" and version " >= 4.0 < 4.6"		en		Affected
B&R Industrial Automation Search vendor "B&R Industrial Automation"		Technology Guarding Search vendor "B&R Industrial Automation" for product "Technology Guarding"				>= 1.0.0 < 1.4.0 Search vendor "B&R Industrial Automation" for product "Technology Guarding" and version " >= 1.0.0 < 1.4.0"		en		Affected