The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Symphony_+_historian | Abb | 3.0 (including) | 3.0 (including) |
| Symphony_+_historian | Abb | 3.1 (including) | 3.1 (including) |
| Symphony_+_operations | Abb | 1.1 (including) | 1.1 (including) |
| Symphony_+_operations | Abb | 2.0 (including) | 2.0 (including) |
| Symphony_+_operations | Abb | 2.1-sp1 (including) | 2.1-sp1 (including) |
| Symphony_+_operations | Abb | 2.1-sp2 (including) | 2.1-sp2 (including) |
| Symphony_+_operations | Abb | 3.0 (including) | 3.0 (including) |
| Symphony_+_operations | Abb | 3.1 (including) | 3.1 (including) |
| Symphony_+_operations | Abb | 3.2 (including) | 3.2 (including) |
| Symphony_+_operations | Abb | 3.3 (including) | 3.3 (including) |