Summary
ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. A firmware update is available that resolves these privately reported vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited these vulnerabilities could access sensitive information stored inside the device and can change the configuration of the device.
The following versions of ABB EIBPORT are affected:
- EIBPORT V3 KNX (2CLA963710W1001) <3.9.2
- EIBPORT V3 KNX (2CSM256242R2001) <3.9.2
- EIBPORT V3 KNX GSM (2CLA963720W1001) <3.9.2
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8 | ABB | ABB EIBPORT | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Background
- Critical Infrastructure Sectors: Critical Manufacturing, Information Technology
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2021-22291
The vulnerability allows the successful attacker to receive a copy of the session id.
Affected Products
ABB EIBPORT
ABB
EIBPORT V3 KNX (2CLA963710W1001) Version <3.9.2, EIBPORT V3 KNX (2CSM256242R2001) Version <3.9.2, EIBPORT V3 KNX GSM (2CLA963720W1001) version < 3.9.2
fixed, known_affected
Remediations
Vendor fix
ABB recommends that customers apply the update at the earliest convenience.
Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Acknowledgments
- Psytester reported this vulnerability to ABB.
Mitigating factors
Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. More information on recommended practices can be found in the documents listed in the Reference section.
Notice
The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts h
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: