ABB HMI Absence of Signature Verification Vulnerability

17 June 2019

 

IDENTIFIERS 

 

 

 

CVE-2019-7229

ABBVU-IAMF-1902003

ABBVU-IAMF-1902012

 

CVSS SCORE

 

8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

XID

 

XL-19-005

 

AFFECTED VENDORS

 

ABB (new.abb.com)

 

CREDIT

 

xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY     

 

 

 

 

ABB HMI uses two different transmission methods to upgrade its software components:

  • Utilization of USB/SD Card to flash the device
  • Remote provisioning process via ABB Panel Builder 600 over FTP

Neither of these transmission methods implement any form of encryption or authenticity checks against the new HMI software binary files.

 

TECHNICAL DETAILS

 

 

 

 

Neither of the update mechanisms implement encryption or authentication checks on the new binaries of the HMI Software components. An attacker could therefore take over the HMI by manipulating these .dll or .exe files to execute arbitrary code on the system.

The following Windows CE ARM executable was pushed to the HMI target via FTP and replaced an already existing binary resulting in remote code execution.

 

 

// Code Snippet

#pragma comment(linker, "/ENTRY:ChangedEntry /NODEFAULTLIB /SUBSYSTEM:WINDOWSCE")

 

void ChangedEntry()

{

 

   printf("Remote Code Execution!");

   LPCWSTR buff = L"Software Labs Remote Code Execution Proof of Concept";

   LPCWSTR a = L"RCE Vuln";

   MessageBox(0, buff, a, MB_OK | MB_ICONQUESTION);

}

 

AFFECTED SYSTEMS    

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior

CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior

CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior

CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior

 

SOLUTION  

 

 

 

 

 

 

ABB has not changed this, relying instead on password protection:

- ABB CP635 HMI:

- ABB CP651 HMI:

 

DISCLOSURE TIMELINE 

 

 

 

04/02/2019 - Contacted ABB requesting disclosure coordination

05/02/2019 - Provided vulnerability details

05/06/2019 – Vendor statement available

17/06/2019 – xen1thLabs public disclosure