CVE-2019-18998 : Security Advisory and Response

ABB Asset Suite versions 9.0 to 9.3, 9.4 before 9.4.2.6, 9.5 before 9.5.3.2, and 9.6.0 are affected by an access control vulnerability that allows unrestricted access to directly referenced objects.

Understanding CVE-2019-18998

This CVE involves insufficient access control in ABB Asset Suite, potentially leading to unauthorized access to resources.

What is CVE-2019-18998?

The vulnerability in ABB Asset Suite versions allows attackers with knowledge of a resource's URL to gain direct access to the resource, due to inadequate access control mechanisms.

The Impact of CVE-2019-18998

CVSS Base Score: 7.1 (High)
Confidentiality Impact: High
Integrity Impact: Low
Privileges Required: Low
Attack Vector: Network
Attack Complexity: Low
User Interaction: None
Scope: Unchanged
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Technical Details of CVE-2019-18998

Vulnerability Description

The web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 before 9.4.2.6, 9.5 before 9.5.3.2, and 9.6.0 lacks sufficient access control, enabling unrestricted access to directly referenced objects.

Affected Systems and Versions

Asset Suite 9.0 to 9.3
Asset Suite 9.4 prior to 9.4.2.6
Asset Suite 9.5 prior to 9.5.3.2
Asset Suite 9.6.0

Exploitation Mechanism

Attackers exploit the lack of access control by directly accessing referenced objects through known URLs.

Mitigation and Prevention

Immediate Steps to Take

Apply the provided patches for Asset Suite versions 9.4.2.6, 9.5.3.2, and 9.6.1 to address the vulnerability.
Restrict access to the web interface to authorized users only.

Long-Term Security Practices

Regularly review and update access control policies.
Conduct security assessments to identify and address similar vulnerabilities.

Patching and Updates

Ensure all systems running affected versions of Asset Suite are promptly updated to the patched versions.