CVE-2021-22272 : Vulnerability Insights and Analysis

ControlTouch is prone to a vulnerability that originates in the commissioning process, allowing an attacker to manipulate a serial number to gain remote access to ControlTouch devices within specific profiles. This affects ABB and Busch-Jaeger products. The issue has been resolved on the cloud side.

Understanding CVE-2021-22272

This CVE impacts the commissioning process of ControlTouch, enabling unauthorized remote access under certain conditions.

What is CVE-2021-22272?

The vulnerability in ControlTouch allows an attacker to exploit the serial number during commissioning, granting control and observation of the device remotely.

The Impact of CVE-2021-22272

An attacker could potentially access and manipulate ControlTouch devices remotely, affecting both ABB and Busch-Jaeger products.

Technical Details of CVE-2021-22272

The vulnerability has a CVSSv3.1 base score of 6.5 (Medium severity) with low impacts on confidentiality, integrity, and availability.

Vulnerability Description

The flaw allows attackers to enter serial numbers in a specific way during commissioning, leading to unauthorized remote access.

Affected Systems and Versions

Products using mybuildings.abb.com and my.busch-jaeger.de platforms with versions earlier than 2021-05-03 are affected.

Exploitation Mechanism

Attackers can manipulate serial numbers to virtually transfer devices and gain control under specific circumstances.

Mitigation and Prevention

Users are advised to take immediate steps to secure their systems and follow long-term security practices.

Immediate Steps to Take

Ensure cloud-side fixes are implemented and monitor for any unauthorized access.

Long-Term Security Practices

Regularly review and update security protocols, educate users about potential risks, and conduct thorough security assessments.

Patching and Updates

No firmware updates are required for customer products. Refer to the advisory to determine if your system is affected.