Lucene search

ABBVULNRICHMENT:CVE-2024-0220

HistoryFeb 22, 2024 - 10:15 a.m.

CVE-2024-0220 B&R products use insufficient communication encryption

2024-02-2210:15:44

CWE-319

CWE-1240

CWE-94

ABB

github.com

cve-2024-0220

b&r automation studio

insufficient cryptography

communication encryption

arbitrary code

sensitive data.

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

7.7

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*"
    ],
    "vendor": "br-automation",
    "product": "automation_studio",
    "versions": [
      {
        "status": "affected",
        "version": "4.0",
        "lessThan": "4.6",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

7.7

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-0220