ABB HMI Outdated Software Components

17 June 2019

 

IDENTIFIERS  

 

 

ABBVU-IAMF-1902001

ABBVU-IAMF-1902010

 

CVSS SCORE

 

7.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L)

 

XID

 

XL-19-006

 

AFFECTED VENDORS

 

ABB (new.abb.com)

 

CREDIT

 

xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY      

 

 

ABB HMI uses outdated software components that are statically linked into the firmware files and service binaries. These components have documented vulnerabilities and should be updated and replaced. It was possible to identify severally outdated OpenSSL (version 0.9.8g) and ABYSS HTTP (version 0.4) server components.

TECHNICAL DETAILS

 

 

 

 

 

OpenSSL 

The HMI Interface is using an outdated version of OpenSSL to implement HTTPS functionality.

As reported in CVE 2009-3245 (CVSS 10.0)penSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

 

 

OpenSSL Version String in binary

 

  • https://www.cvedetails.com/cve/CVE-2009-3245/
  • https://www.cvedetails.com/cve/CVE-2011-4109/
  • https://www.cvedetails.com/cve/CVE-2010-3864/
  • https://www.cvedetails.com/cve/CVE-2010-3864/
  • https://www.cvedetails.com/vulnerability-list.php?vendor_id=217&product_id=383&version_id=56319&page=1&hasexp= 0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc= 0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year= 0&month=0&cweid=0&order=3&trc=47&sha=606d15ad7fc2f15412f059a7edb89e1dce7282e6

 

 

 

 

ABYSS HTTP

When accessing resources over HTTP directly, the HTTP server replies with HTTP 401 Unauthorized and discloses its HTTP server details.

 

   

HTTP/1.1 401 Unauthorized

Refresh: 0; url=/

Content-type: text/html

Connection: close

Date: Mon, 12 Nov 2018 11:12:51 GMT

Server: 0.4

 

<HTML><HEAD><TITLE>Error 401</TITLE></HEAD><BODY><H1>Error 401</H1><P>Unauthorized</P><p><HR>

IDAL - HTTP daemon. Based on ABYSS Web Server ver.0.4 &copy; 2000 Moez Mahfoudh.</p></BODY></HTML>

 

 

This software component is severely outdated and affected by several known vulnerabilities. The disclosed medium severity vulnerabilities could allow an attacker to cause memory corruption that could be exploited for a Denial-of-Service attack:

  • https://www.exploit-db.com/exploits/43207
  • https://www.exploit-db.com/exploits/23419

 

AFFECTED SYSTEMS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior

CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior

CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior

CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior

CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior

CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior

CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior

CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior

 

SOLUTION

 

 

 

 

 

 

ABB claims use of OpenSSL is unaffected, no statement for other Abyss web server:

- ABB CP635 HMI:

- ABB CP651 HMI:

 

DISCLOSURE TIMELINE

 

 

 

04/02/2019 - Contacted ABB requesting disclosure coordination

05/02/2019 - Provided vulnerability details

05/06/2019 – Vendor statement available

17/06/2019 – xen1thLabs public disclosure