what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ABB HMI Missing Signature Verification

ABB HMI Missing Signature Verification
Posted Jun 21, 2019
Authored by xen1thLabs

ABB HMI fails to perform any signature validation checking during two different transmission methods for upgrade.

tags | exploit
advisories | CVE-2019-7229
SHA-256 | 39d7cecad6807940c328851d93368e198e19bde1cf6dc40359be5823c04e00ba

ABB HMI Missing Signature Verification

Change Mirror Download
XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
========================================================================

Identifiers
-----------
XL-19-005
CVE-2019-7229
ABBVU-IAMF-1902003
ABBVU-IAMF-1902012


CVSS Score
----------
8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
xen1thLabs - Software Labs


Vulnerability summary
---------------------
ABB HMI uses two different transmission methods to upgrade its software components:

- Utilization of USB/SD Card to flash the device
- Remote provisioning process via ABB Panel Builder 600 over FTP

Neither of these transmission methods implement any form of encryption or authenticity checks against the new HMI software binary files.


Technical details
-----------------
Neither of the update mechanisms implement encryption or authentication checks on the new binaries of the HMI Software components. An attacker could therefore take over the HMI by manipulating these .dll or .exe files to execute arbitrary code on the system.

The following Windows CE ARM executable was pushed to the HMI target via FTP and replaced an already existing binary resulting in remote code execution.


Proof of concept
----------------
```
// Code Snippet

#pragma comment(linker, "/ENTRY:ChangedEntry /NODEFAULTLIB /SUBSYSTEM:WINDOWSCE")

void ChangedEntry()

{

printf("Remote Code Execution!");

LPCWSTR buff = L"Software Labs Remote Code Execution Proof of Concept";

LPCWSTR a = L"RCE Vuln";

MessageBox(0, buff, a, MB_OK | MB_ICONQUESTION);

}
```


Affected systems
----------------
CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior
CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior
CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior
CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior


Solution
--------
ABB has not changed this, relying instead on password protection:
- ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch
- ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch


Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close