[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
From: xen1thLabs <xen1thLabs () darkmatter ! ae>
Date: 2019-06-20 12:08:16
Message-ID: fc1699834fad4519a9b6d7548c0e72ec () darkmatter ! ae
[Download RAW message or body]
XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
========================================================================
Identifiers
-----------
XL-19-005
CVE-2019-7229
ABBVU-IAMF-1902003
ABBVU-IAMF-1902012
CVSS Score
----------
8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected vendor
---------------
ABB (new.abb.com)
Credit
------
xen1thLabs - Software Labs
Vulnerability summary
---------------------
ABB HMI uses two different transmission methods to upgrade its software components:
- Utilization of USB/SD Card to flash the device
- Remote provisioning process via ABB Panel Builder 600 over FTP
Neither of these transmission methods implement any form of encryption or authenticity checks \
against the new HMI software binary files.
Technical details
-----------------
Neither of the update mechanisms implement encryption or authentication checks on the new \
binaries of the HMI Software components. An attacker could therefore take over the HMI by \
manipulating these .dll or .exe files to execute arbitrary code on the system.
The following Windows CE ARM executable was pushed to the HMI target via FTP and replaced an \
already existing binary resulting in remote code execution.
Proof of concept
----------------
```
// Code Snippet
#pragma comment(linker, "/ENTRY:ChangedEntry /NODEFAULTLIB /SUBSYSTEM:WINDOWSCE")
void ChangedEntry()
{
printf("Remote Code Execution!");
LPCWSTR buff = L"Software Labs Remote Code Execution Proof of Concept";
LPCWSTR a = L"RCE Vuln";
MessageBox(0, buff, a, MB_OK | MB_ICONQUESTION);
}
```
Affected systems
----------------
CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior
CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior
CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior
CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior
Solution
--------
ABB has not changed this, relying instead on password protection:
- ABB CP635 HMI - \
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch
- ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch
Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic