Just Another Hacker
Author's avatar

XL-19-009 - ABB HMI Hardcoded Credentials Vulnerability

By Eldar Marcussen

Identifiers

XL-19-009 CVE-2019-7225 ABBVU-IAMF-1902004 ABBVU-IAMF-1902011 ABBVU-IAMF-1902002

CVSS Score

8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected vendor

ABB (new.abb.com)

Credit

xen1thLabs - Software Labs

Vulnerability summary

The affected ABB components implement hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

These identified credentials are:

IdalMaster : idal123 exor : exor The credentials are sent over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials.

Technical details

An attacker can use these credentials to login to any ABB HMI type CP635 to read/write HMI configuration files and reset the device. Combining these actions can push malicious configuration and HMI code to the device.

Affected systems

CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 … 2.8.0.3674CP651, order code: 1SAP551100R0001, revision index B1 with BSPUN30 V1.76 and prior CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior

Solution

Apply the patches or changes recommended by the vendor in their vulnerability advisories: - ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

Disclosure timeline

  • 04/02/2019 - Contacted ABB requesting disclosure coordination
  • 05/02/2019 - Provided vulnerability details
  • 05/06/2019 - Patch available
  • 17/06/2019 - xen1thLabs public disclosure

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!

⠓⠁⠉⠅⠑⠗