CVE-2022-31216
📋 TL;DR
This vulnerability in ABB Drive Composer allows low-privileged users to create and write arbitrary files anywhere on the file system with SYSTEM privileges, as long as the target file doesn't already exist. Attackers can exploit this by running the 'repair' operation in the installer. This affects systems where Drive Composer is installed and low-privileged users have access.
💻 Affected Systems
- ABB Drive Composer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to SYSTEM, allowing installation of persistent malware, credential theft, or complete system takeover.
Likely Case
Privilege escalation leading to unauthorized file creation/modification, potential data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if proper access controls prevent low-privileged users from executing repair operations or accessing affected systems.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access and ability to run repair operation
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check ABB advisory for specific patched versions
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download updated installer from ABB. 2. Uninstall affected version. 3. Install patched version. 4. Restart system.
🔧 Temporary Workarounds
Restrict Repair Operation Access
windowsPrevent low-privileged users from running repair operations on Drive Composer
Use Windows Group Policy to restrict installer execution for non-admin users
Remove Low-Privileged Access
allEnsure only trusted administrators have access to systems with Drive Composer installed
🧯 If You Can't Patch
- Implement strict access controls to prevent low-privileged users from accessing systems with Drive Composer
- Monitor for unauthorized repair operation attempts and file creation in system directories
🔍 How to Verify
Check if Vulnerable:
Check if Drive Composer is installed and if low-privileged users can access/run repair operationsCheck Version:
Check Drive Composer version in Control Panel > Programs and Features or via installer propertiesVerify Fix Applied:
Verify updated version is installed and test that low-privileged users cannot exploit repair operation📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing repair operation execution by non-admin users
- Unexpected file creation in system directories
Network Indicators:
- Unusual outbound connections from systems with Drive Composer after repair operations
SIEM Query:
EventID=4688 AND ProcessName LIKE '%Drive Composer%' AND User NOT IN (Administrators)🔗 References
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.38192870.478847987.1655218701-372504397.1647012599
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.38192870.478847987.1655218701-372504397.1647012599
