A looming cybersecurity threat emerges as B&R Automation Studio’s Upgrade Service and Technology Guarding exhibit a vulnerability awaiting analysis. The flaw lies in their insufficient cryptography during communication with upgrade and licensing servers, posing a grave risk. Potential exploitation by a network-based attacker could result in the execution of arbitrary code on the products or the interception of sensitive data.
This vulnerability exposes multiple weaknesses, including missing encryption of sensitive data, cleartext transmission of sensitive information, improper control of code generation (Code Injection), and inadequate encryption strength within B&R Industrial Automation’s B&R Automation Studio (Upgrade Service modules) and Technology Guarding. The impacted versions include B&R Automation Studio: <4.6 and Technology Guarding: <1.4.0.
The severity of this issue is underscored by a notable divergence in the NIST CVSS score and the CNA score from Asea Brown Boveri Ltd. (ABB). While NIST awaits providing a score, ABB rates it at 8.3, marking it as a high-severity vulnerability. Despite the absence of an official NVD CVSS score, the urgency to address this vulnerability cannot be overstated, emphasizing the need for immediate action and heightened security measures.