CVE-2022-31218
📋 TL;DR
This vulnerability in ABB Drive Composer allows low-privileged users to create and write arbitrary files anywhere on the file system with SYSTEM privileges, as long as the target file doesn't already exist. Attackers can exploit this by running the 'repair' operation in the installer. This affects systems where Drive Composer is installed and low-privileged users have access.
💻 Affected Systems
- ABB Drive Composer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to SYSTEM, allowing attackers to create malicious executables, overwrite critical system files, or establish persistence mechanisms.
Likely Case
Local privilege escalation leading to unauthorized SYSTEM-level access, potentially enabling further lateral movement or data exfiltration.
If Mitigated
Limited impact if proper access controls prevent low-privileged users from executing the repair operation or accessing affected systems.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access and knowledge of the repair operation. The vulnerability is straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Drive Composer 3.14.0 and later
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download Drive Composer version 3.14.0 or later from ABB's official website. 2. Run the installer with administrative privileges. 3. Follow the installation wizard to upgrade. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict Repair Operation Access
windowsModify permissions to prevent low-privileged users from executing the repair operation in Drive Composer installer.
icacls "C:\Program Files\ABB\Drive Composer\*" /deny "Users:(RX)"
icacls "C:\Program Files (x86)\ABB\Drive Composer\*" /deny "Users:(RX)"
Remove Low-Privileged User Access
windowsEnsure only trusted administrators have access to systems with Drive Composer installed.
🧯 If You Can't Patch
- Implement strict access controls to prevent low-privileged users from accessing systems with Drive Composer installed.
- Monitor for unauthorized repair operation attempts and file creation activities in system directories.
🔍 How to Verify
Check if Vulnerable:
Check Drive Composer version: Open Drive Composer, go to Help > About. If version is below 3.14.0, the system is vulnerable.Check Version:
wmic product where "name like 'Drive Composer%'" get versionVerify Fix Applied:
Verify Drive Composer version is 3.14.0 or higher in Help > About menu. Test that low-privileged users cannot run repair operations.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Drive Composer repair operations by non-administrative users
- File creation events in system directories by Drive Composer processes
Network Indicators:
- No specific network indicators as this is a local privilege escalation
SIEM Query:
EventID=4688 AND ProcessName LIKE '%Drive Composer%' AND SubjectUserName NOT IN (Administrator, SYSTEM)🔗 References
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.38192870.478847987.1655218701-372504397.1647012599
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.38192870.478847987.1655218701-372504397.1647012599
