CVE-2020-24683 : Security Advisory and Response

Symphony Plus Operations version 2.1 SP1 and earlier have a critical vulnerability that allows unauthorized actors to bypass authentication and make unauthorized connections to the server application.

Understanding CVE-2020-24683

This CVE involves an authentication bypass issue in ABB Ability™ Symphony® Plus Operations.

What is CVE-2020-24683?

The vulnerability in Symphony Plus Operations allows unauthorized actors to bypass authentication and establish unauthorized connections to the server application.

The Impact of CVE-2020-24683

The vulnerability has a CVSS base score of 9.8, indicating a critical severity level with high impacts on confidentiality, integrity, and availability.

Technical Details of CVE-2020-24683

Symphony Plus Operations version 2.1 SP1 and earlier are affected by an authentication bypass vulnerability.

Vulnerability Description

The affected versions use client-side authentication, which is less secure than server-side validation, enabling unauthorized actors to bypass authentication.

Affected Systems and Versions

Product: ABB Ability™ Symphony® Plus Operations
Vendor: ABB
Versions Affected: < 2.1 SP1

Exploitation Mechanism

Unauthorized actors can exploit the vulnerability by bypassing client-side authentication to establish unauthorized connections to the server application.

Mitigation and Prevention

Immediate action and long-term security practices are crucial to mitigate the risks associated with CVE-2020-24683.

Immediate Steps to Take

Update to the latest version of Symphony Plus Operations to eliminate the vulnerability.
Implement network protections to secure communication and endpoints.

Long-Term Security Practices

Enforce server-side validation for user authentication.
Regularly monitor and audit network traffic for unauthorized access attempts.

Patching and Updates

Apply security patches and updates provided by ABB to address the authentication bypass vulnerability.