ABB HMI Missing Signature Verification

2019.06.25
Credit: xen1thLabs
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-295


CVSS Base Score: 5.4/10
Impact Subscore: 6.4/10
Exploitability Subscore: 5.5/10
Exploit range: Adjacent network
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability ======================================================================== Identifiers ----------- XL-19-005 CVE-2019-7229 ABBVU-IAMF-1902003 ABBVU-IAMF-1902012 CVSS Score ---------- 8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) Affected vendor --------------- ABB (new.abb.com) Credit ------ xen1thLabs - Software Labs Vulnerability summary --------------------- ABB HMI uses two different transmission methods to upgrade its software components: - Utilization of USB/SD Card to flash the device - Remote provisioning process via ABB Panel Builder 600 over FTP Neither of these transmission methods implement any form of encryption or authenticity checks against the new HMI software binary files. Technical details ----------------- Neither of the update mechanisms implement encryption or authentication checks on the new binaries of the HMI Software components. An attacker could therefore take over the HMI by manipulating these .dll or .exe files to execute arbitrary code on the system. The following Windows CE ARM executable was pushed to the HMI target via FTP and replaced an already existing binary resulting in remote code execution. Proof of concept ---------------- ``` // Code Snippet #pragma comment(linker, "/ENTRY:ChangedEntry /NODEFAULTLIB /SUBSYSTEM:WINDOWSCE") void ChangedEntry() { printf("Remote Code Execution!"); LPCWSTR buff = L"Software Labs Remote Code Execution Proof of Concept"; LPCWSTR a = L"RCE Vuln"; MessageBox(0, buff, a, MB_OK | MB_ICONQUESTION); } ``` Affected systems ---------------- CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior Solution -------- ABB has not changed this, relying instead on password protection: - ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch Disclosure timeline ------------------- 04/02/2019 - Contacted ABB requesting disclosure coordination 05/02/2019 - Provided vulnerability details 05/06/2019 - Patch available 17/06/2019 - xen1thLabs public disclosure


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top