RVD#729: CMS-770 allows bypassing the user authentication and read read sensitive configuration files

[vmayoral]

{
    "id": 729,
    "title": "RVD#729: CMS-770 allows bypassing the user authentication and read read sensitive configuration files",
    "type": "vulnerability",
    "description": "The product CMS-770 (Software Versions 1.7.1 and prior)is vulnerable that an attacker can read sensitive configuration files by bypassing the user authentication mechanism.",
    "cwe": "CWE-287",
    "cve": "CVE-2018-17928",
    "keywords": "",
    "system": "",
    "vendor": "ABB",
    "severity": {
        "rvss-score": 0,
        "rvss-vector": "",
        "severity-description": "",
        "cvss-score": 6.5,
        "cvss-vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
    },
    "links": [
        "http://www.securityfocus.com/bid/106244",
        "https://ics-cert.us-cert.gov/advisories/ICSA-18-352-06",
        "https://github.com/aliasrobotics/RVD/issues/729"
    ],
    "flaw": {
        "phase": "unknown",
        "specificity": "N/A",
        "architectural-location": "N/A",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "",
        "detected-by": "",
        "detected-by-method": "N/A",
        "date-reported": "2019-01-31",
        "reported-by": "cve@mitre.org",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/729",
        "reproducibility": "",
        "trace": "",
        "reproduction": "",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": null
    }
}

[vmayoral]

Advisory and mitigation https://library.e.abb.com/public/6e5e11da5dcf4591a91629356941803f/9ADB005557_ABB_SoftwareVulnerabilityHandlingAdvisory_Rev_D_CMS-770_July_2018.pdf?x-sign=dO7gHFP3XH3bUhX8QS9tcg2ytI3o3cH+uW9fcgUPVGt9nJQztZrbEJ8qSk/1b18U.

Readingt through it:

The ABB products in scope of this vulnerability advisory will not be updated with a new firmware.

moreover:

ABB has updated the manuals of the products in scope of this advisory and strongly advises customers to follow the updated installation recommendations. Customers who still want to operate the devices need to be aware of the vulnerabilities included and are requested to mitigate risks as advised in the manuals. At the moment there are no plans of corrective measures for this specific issue in the affected products.

[vmayoral]

Since there are no plans of corrective measures for this specific issue in the affected products we're neither tagging this as mitigated, neither closing the ticket.