CVE-2020-11639
📋 TL;DR
CVE-2020-11639 is a local privilege escalation vulnerability in Advant MOD 300 AdvaBuild that allows attackers with local access to inject malicious data, potentially causing denial-of-service, data manipulation, or unauthorized controller access. This affects industrial control systems running AdvaBuild versions 3.0 through 3.7 SP2. Successful exploitation requires local access to a system node.
💻 Affected Systems
- Advant MOD 300 AdvaBuild
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains unauthorized read/write access to industrial controllers, manipulates critical process data, causes system crashes, and disrupts industrial operations.
Likely Case
Local attacker causes denial-of-service by crashing Windows processes, disrupting communication between system components.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated systems with minimal operational disruption.
🎯 Exploit Status
Requires local access and ability to execute specially crafted application; attacker needs understanding of system communication protocols.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.7 SP2
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=3BUA003421&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download patch from ABB advisory 2. Apply update to affected AdvaBuild installations 3. Restart affected systems 4. Verify patch installation
🔧 Temporary Workarounds
Network Segmentation
allIsolate MOD 300 systems from general network access
Access Control Hardening
windowsRestrict local access to critical nodes and implement least privilege
🧯 If You Can't Patch
- Implement strict physical and logical access controls to prevent unauthorized local access
- Monitor for unusual process behavior or communication disruptions in affected systems
🔍 How to Verify
Check if Vulnerable:
Check AdvaBuild version via Control Panel > Programs and Features or system documentationCheck Version:
Check system documentation or contact ABB support for version verificationVerify Fix Applied:
Verify installed version is above 3.7 SP2 and check ABB patch documentation📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes
- Communication errors between MOD 300 components
- Unauthorized application execution
Network Indicators:
- Unusual inter-process communication patterns
- Data corruption in system logs
SIEM Query:
Process: (Name contains "AdvaBuild" OR "MOD300") AND (EventID: 1000 OR 1001 for crashes)🔗 References
- https://search.abb.com/library/Download.aspx?DocumentID=3BUA003421&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.200044199.882581162.1721753430-284724496.1718609177
- https://search.abb.com/library/Download.aspx?DocumentID=3BUA003421&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.200044199.882581162.1721753430-284724496.1718609177
