OTPulse
FeedAboutContact

ABB Asset Suite

Plan Patch7.1ICS-CERT ICSA-20-072-02Mar 12, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

ABB Asset Suite versions up to 9.6 (excluding patched versions 9.4.2.6 and 9.5.3.2) contain a vulnerability that allows authenticated users to access information in the application that they should not have permission to view through direct resource access. An attacker with valid credentials could exploit this to retrieve sensitive operational or configuration data.

What this means
What could happen
An authenticated user could access sensitive information in ABB Asset Suite that they are not authorized to view, potentially exposing operational or configuration details.
Who's at risk
Organizations using ABB Asset Suite for asset management, inventory, or operational data storage. This includes manufacturing plants, utilities, and other industrial facilities where Asset Suite is deployed to track equipment and configuration information.
How it could be exploited
An attacker with valid login credentials to Asset Suite could directly request resources in the application to retrieve unauthorized information. This requires the attacker to be authenticated to the system, typically as a legitimate application user.
Prerequisites
  • Valid Asset Suite application credentials
  • Network access to Asset Suite application interface
Requires authentication to exploitInformation disclosure (not operational impact)Low public exploit availability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Asset Suite:≤ 9.6 (excluding 9.4.2.6 and 9.5.3.2)9.4.2.6, 9.5.3.2, 9.6.1 or later
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to Asset Suite to authorized users only; place behind a firewall and isolate from the Internet and business network
HARDENINGEnforce strong password policies and limit valid credentials to necessary personnel only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ABB Asset Suite to version 9.4.2.6, 9.5.3.2, or 9.6.1 or later
HARDENINGReview and revoke access for users who no longer require Asset Suite access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1874fd56-ce49-484a-b851-64bc8d07050b
ABB Asset Suite | CVSS 7.1 - OTPulse