{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-0220","assignerOrgId":"2b718523-d88f-4f37-9bbd-300c20644bf9","state":"PUBLISHED","assignerShortName":"ABB","dateReserved":"2024-01-03T15:46:41.224Z","datePublished":"2024-02-22T10:15:44.750Z","dateUpdated":"2024-09-19T17:24:51.723Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Upgrade Service"],"product":"Automation Studio","vendor":"B&R Industrial Automation","versions":[{"lessThan":"4.6","status":"affected","version":"4.0","versionType":"patch"}]},{"defaultStatus":"unaffected","product":"Technology Guarding","vendor":"B&R Industrial Automation","versions":[{"lessThan":"1.4.0","status":"affected","version":"1.0.0","versionType":"patch"}]}],"datePublic":"2024-02-22T10:10:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"B&amp;R Automation Studio Upgrade Service and B&amp;R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data.\n\n<br>"}],"value":"B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1240","description":"CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-319","description":"CWE-319 Cleartext Transmission of Sensitive Information","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-94","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"2b718523-d88f-4f37-9bbd-300c20644bf9","shortName":"ABB","dateUpdated":"2024-09-19T17:24:51.723Z"},"references":[{"url":"https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf"}],"source":{"advisory":"2023-P019","discovery":"INTERNAL"},"title":"B&R products use insufficient communication encryption","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T17:41:15.976Z"},"title":"CVE Program Container","references":[{"url":"https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf","tags":["x_transferred"]}]},{"affected":[{"vendor":"br-automation","product":"automation_studio","cpes":["cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"4.0","status":"affected","lessThan":"4.6","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-02-22T16:23:26.378691Z","id":"CVE-2024-0220","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-28T16:52:09.908Z"}}]}}