ABB AO OPC Server, is a server then enables access to information about ABB SA Protection and control products in a standard format for interface to Process Automation systems (DCS), SCADA, Substation Automation systems or any other system with OPC Client Support.
Security advisor from ABB had found vulnerability in versions up to (including) 3.2.1.0 with vulnerability IDS CVE-2023-2685.
A vulnerability was found in AO-OPC server versions mentioned above. As the directory information for the service entry is not enclosed in quotation marks, potential attackers could possibly call up another application than the AO-OPC server by starting the service. The service might be started with system user privileges which could cause a shift in user access privileges. It is unlikely to exploit the vulnerability in well maintained Windows installations since the attacker would need write access to system folders.
An update is available that resolves the vulnerability found during an internal review in the product versions listed above.
Abb recommend to do this actions asap:
The problem is corrected in the following product versions:
AO-OPC version 3.3.0
ABB recommends that customers apply the update at earliest convenience.
To obtain the installation files for the updated AO-OPC version please contact desupport.analytical@abb.com
using the subject line “AO-OPC update”.
Alternatively, the steps below are recommended:
1. After each registration of AO-OPC as a service, start the registry editor (administrator privileges
needed)
2. Open the registry entry
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Optima OPC Service
3. Enclose the string value that is entered under “ImagePath” with quotation marks.
Example.: “C:\Program Files (x86)\Analyze IT\AO-OPC\OptimaOPC.exe”