Identifiers

XL-19-006 ABBVU-IAMF-1902001 ABBVU-IAMF-1902010

CVSS Score

7.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L)

Affected vendor

ABB (new.abb.com)

Credit

xen1thLabs - Software Labs

Vulnerability summary

ABB HMI uses outdated software components that are statically linked into the firmware files and service binaries. These components have documented vulnerabilities and should be updated and replaced. It was possible to identify severally outdated OpenSSL (version 0.9.8g) and ABYSS HTTP (version 0.4) server components.

Technical details

OpenSSL The HMI Interface is using an outdated version of OpenSSL to implement HTTPS functionality.

As reported in CVE 2009-3245 (CVSS 10.0)penSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

ABYSS HTTP When accessing resources over HTTP directly, the HTTP server replies with HTTP 401 Unauthorized and discloses its HTTP server details:

IDAL - HTTP daemon. Based on ABYSS Web Server ver.0.4 © 2000 Moez Mahfoudh

This software component is severely outdated and affected by several known vulnerabilities. The disclosed medium severity vulnerabilities could allow an attacker to cause memory corruption that could be exploited for a Denial-of-Service attack.

Affected systems

CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior

Solution

ABB claims use of OpenSSL is unaffected, no statement for other Abyss web server: - ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

Disclosure timeline

• 04/02/2019 - Contacted ABB requesting disclosure coordination
• 05/02/2019 - Provided vulnerability details
• 05/06/2019 - Patch available
• 17/06/2019 - xen1thLabs public disclosure