ABB Central Licensing System

Act Now9.8ICS-CERT ICSA-20-154-04Jun 2, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB Central Licensing System contains multiple vulnerabilities that allow remote attackers to gain control of affected system nodes or crash the licensing service. The issues stem from information disclosure (CWE-200), XML external entity injection (CWE-611), resource exhaustion (CWE-400), and improper access controls (CWE-284). Successful exploitation requires only network access and no credentials. Affected products include AdvaBuild, Ability System 800xA, Ability Manufacturing Operations Management, Harmony OPC Server, Advant OCS, OPC Data Link, Composer suite, Symphony Plus, Knowledge Manager, Control Builder Safe, Compact HMI, and related components across versions 1.0 through 6.3.\n\nABB has provided patches for the Central Licensing Server itself but states that vulnerabilities in connected products (CVE-2020-8475 and CVE-2020-8476) will be corrected in future product versions with no timeline specified. Mitigation includes upgrading CLS to specific patched versions, restricting network access via firewalls, implementing IPSec/VPN, and enforcing access controls on service accounts.

What this means

What could happen

An attacker could gain remote control of the Central Licensing Server and run arbitrary commands, causing the system to stop operating or locking out legitimate users from accessing licensed ABB control system software.

Who's at risk

Manufacturing organizations using ABB Ability System 800xA, Harmony OPC Server, Control Builder, Composer suite, or Symphony Plus platforms for process automation and licensing. This affects engineering workstations, HMI systems, and the central licensing infrastructure that manages software licenses across the control system.

How it could be exploited

An attacker with network access to the CLS (Central Licensing Server) can send specially crafted requests that exploit information disclosure, XML external entity injection, or resource exhaustion flaws. No authentication is required, and the attack requires low complexity, allowing the attacker to either take control of the CLS node or crash the licensing service.

Prerequisites

Network access to the CLS Server (typically port 9443 or similar, depending on configuration)
No authentication required
CLS must be running a vulnerable version

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Affects 16 ABB productsNo vendor patches available for most products

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (16)

1 pending15 EOL

ProductAffected VersionsFix Status

AdvaBuild:3.7 SP1 | 3.7 SP2No fix (EOL)

Ability System 800xA / Advant OCS Control Builder A:1.3 | 1.4No fix (EOL)

Harmony OPC Server (HAOPC): Standalone6.0 | 6.1 | 7.0No fix yet

Ability System 800xA and related system extensions:5.1 | 6.0 | 6.1No fix (EOL)

Ability Manufacturing Operations Management:1812 | 1909No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HOTFIXUpgrade ABB Central Licensing Server to version 5.1 Rev A (5.1.0.38), 5.1 Rev E (5.1.0.99), 6.0 (6.0.0.26), 6.0.3.3 (6.0.03000.192), or 6.1 RU1 (6.1.00100.417) as appropriate for your deployment

WORKAROUNDImplement firewall rules to restrict network access to the CLS Server, allowing only connections from authorized engineering workstations and control system nodes

HARDENINGSeparate the CLS network from other networks (business network, internet) using firewalls and network segmentation

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGUse IPSec or VPN to encrypt and authenticate communication between CLS Client and Server nodes

HARDENINGReview user account access to CLS Server nodes and remove unnecessary accounts; block interactive logins to service accounts

HOTFIXIf running CLS version 5.1.0.14 or earlier, contact ABB before applying patches to ensure hardware compatibility

CVEs (5)

CVE-2020-8481 CVE-2020-8479 CVE-2020-8475 CVE-2020-8476 CVE-2020-8471

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4f8fa730-c7fd-4f35-b201-9f471ce38a60