Vulnerability CVE-2019-7229
Published: 2019-06-24

Description:
The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via ABB Panel Builder 600 over FTP." Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
ABB HMI Missing Signature Verification
xen1thLabs
25.06.2019

Type:

CWE-295

 (Certificate Issues)

CVSS2 => (AV:A/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.4/10
6.4/10
5.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://packetstormsecurity.com/files/153387/ABB-HMI-Missing-Signature-Verification.html
http://seclists.org/fulldisclosure/2019/Jun/34
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch
https://www.darkmatter.ae/xen1thlabs/abb-hmi-absence-of-signature-verification-vulnerability-xl-19-005/
Copyright 2024, cxsecurity.com

 

Back to Top