CVE-2020-24680 : What You Need to Know

In S+ Operations and S+ Historian, the passwords of internal users are encrypted but improperly stored in a database.

Understanding CVE-2020-24680

This CVE involves the improper storage of internal user passwords in ABB's Symphony Plus Operations and Historian.

What is CVE-2020-24680?

This vulnerability pertains to the encryption but improper storage of internal user passwords within the Symphony Plus Operations and Historian systems.

The Impact of CVE-2020-24680

CVSS Base Score: 7.0 (High Severity)
Attack Vector: Local
Attack Complexity: High
Privileges Required: Low
Confidentiality, Integrity, and Availability Impact: High
Scope: Unchanged
User Interaction: None

Technical Details of CVE-2020-24680

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The passwords of internal users in Symphony Plus Operations and Historian are encrypted but stored improperly in a database.

Affected Systems and Versions

ABB Ability™ Symphony® Plus Operations:
Versions less than 3.3 Service Pack 1
Versions less than 2.1 SP2 Rollup 2
Versions less than 2.2
ABB Ability™ Symphony® Plus Historian:
Versions less than 3.2

Exploitation Mechanism

The vulnerability requires local access to exploit, with low privileges needed to impact confidentiality, integrity, and availability.

Mitigation and Prevention

Protect your systems from CVE-2020-24680 with these mitigation strategies.

Immediate Steps to Take

Update to the latest patched versions of Symphony Plus Operations and Historian.
Monitor and restrict access to the database storing user passwords.
Implement strong password policies and encryption practices.

Long-Term Security Practices

Conduct regular security audits and vulnerability assessments.
Train employees on secure password management and data handling practices.

Patching and Updates

Apply security patches provided by ABB promptly to address the vulnerability.