ABB HMI Hardcoded Credentials Vulnerability

17 June 2019

 

IDENTIFIERS

 

 

 

 

CVE-2019-7225

ABBVU-IAMF-1902004

ABBVU-IAMF-1902011

ABBVU-IAMF-1902002

 

CVSS SCORE

 

8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

XID

 

XL-19-009

 

AFFECTED VENDORS

 

ABB (new.abb.com)

 

CREDIT

 

xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY     

 

 

 

 

 

 

 

The affected ABB components implement hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

These identified credentials are:

  • IdalMaster : idal123
  • exor : exor

The credentials are sent over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials.

 

TECHNICAL DETAILS

 

 

An attacker can use these credentials to login to any ABB HMI type CP635 to read/write HMI configuration files and reset the device. Combining these actions can push malicious configuration and HMI code to the device.

 

PROOF OF CONCEPT

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 HTTP traffic showing the leaked backdoor credential.

 

FTP traffic showing the second leaked backdoor credential.

 

Backdoor credentials found in the reversed DLL

 

AFFECTED SYSTEMS      

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior

CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior

CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior

CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior

PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 … 2.8.0.3674CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior

 

SOLUTION 

 

 

 

 

 

 

 

 

 

Apply the patches or changes recommended by the vendor in their vulnerability advisories:

- ABB CP635 HMI:

- ABB PB610:

- ABB CP651 HMI:

 

DISCLOSURE TIMELINE

 

 

 

 

04/02/2019 - Contacted ABB requesting disclosure coordination

05/02/2019 - Provided vulnerability details

05/06/2019 - Patch available

17/06/2019 – xen1thLabs public disclosure