ABB Fixes Credential Mgt Vulnerability
Thursday, September 15, 2016 @ 03:09 PM gHale
ABB produced a new version to mitigate a credential management vulnerability in its DataManagerPro application, according to a report with ICS-CERT.
Trend Micro’s Zero Day Initiative (ZDI) sent the report it received from Security researcher Andrea Micalizzi to ICS-CERT.
DataManagerPro, all versions: 1.0.0 to 1.7.0 suffer from the issue.
An attacker who successfully exploits this vulnerability could insert and run arbitrary code on a computer where the affected product ends up used.
ABB is a Switzerland-based company that maintains offices in several countries around the world.
The affected product, DataManagerPro, is data analysis software. DataManagerPro sees action in the energy sector on a global basis.
An authenticated user may swap DLLs in the package directory to elevate permissions to administrator.
CVE-2016-4526 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
This vulnerability is not exploitable remotely and cannot end up exploited without user interaction.
No known public exploits specifically target this vulnerability. However, an attacker with low skill would be able to exploit this vulnerability.
ABB has produced a new version (Version 1.7.1) to mitigate this vulnerability. ABB recommends users apply the update at their earliest convenience.
Users can click here to find more information in ABB’s security advisory (ABB-VU-BUMP-089290).
ABB recommends security practices and firewall configurations to help protect systems from attacks that originate from outside the network. Such practices include:
• Carefully inspect any files transferred between computers, including scanning them with up‑to‑date antivirus software, so only legitimate files may end up transferred.
• User account management, appropriate authentication and permission management using the principle of least privilege.