CVE-2023-3321

Code Execution through Writable Mosquitto Configuration File

Description

A vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted programs to exploit the vulnerabilities by allowing them to run on the zenon installed hosts. This issue affects ABB Ability™ zenon: from 11 build through 11 build 106404.

Remediation

Workaround:

  • ABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors. • For CVE-2023-3321, Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed.  Remove the default directory permissions for ‘Everyone’ on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are expected to access zenon.  Install the IIoT services, which is, the Service grid component on a separate system.  Secure the ZEE600 related executable files in ‘C:\ProgramData\ABB\ABBUtilities’ directory by removing the group named “Everyone”.  Ensure the group name “Everyone” should be removed from the following directory. ‘C:\ProgramData\ABB’.  Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has the users to use zenon projects. Consider the following example: Example: A user group named ‘zenonOwnersGroup’ to be created and it is the only group that has write access to the zenon_ Projects directory. If the system has 2 users such as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The project directory (C:\Users\Public\Documents\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write access the zenon_Project directory and test2 should not.

Category

7.0
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.12%
Vendor Advisory abb.com
Affected: ABB ABB Ability™ zenon
Published at:
Updated at:

References

Link Tags
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590 vendor advisory mitigation technical description

Frequently Asked Questions

What is the severity of CVE-2023-3321?
CVE-2023-3321 has been scored as a high severity vulnerability.
How to fix CVE-2023-3321?
As a workaround for remediating CVE-2023-3321: ABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors. • For CVE-2023-3321, Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed.  Remove the default directory permissions for ‘Everyone’ on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are expected to access zenon.  Install the IIoT services, which is, the Service grid component on a separate system.  Secure the ZEE600 related executable files in ‘C:\ProgramData\ABB\ABBUtilities’ directory by removing the group named “Everyone”.  Ensure the group name “Everyone” should be removed from the following directory. ‘C:\ProgramData\ABB’.  Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has the users to use zenon projects. Consider the following example: Example: A user group named ‘zenonOwnersGroup’ to be created and it is the only group that has write access to the zenon_ Projects directory. If the system has 2 users such as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The project directory (C:\Users\Public\Documents\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write access the zenon_Project directory and test2 should not.
Is CVE-2023-3321 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-3321 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-3321?
CVE-2023-3321 affects ABB ABB Ability™ zenon.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.