what you don't know can hurt you

ABB HMI Hardcoded Credentials

ABB HMI Hardcoded Credentials
Posted Jun 21, 2019
Authored by xen1thLabs

The affected ABB components implement hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

tags | advisory
advisories | CVE-2019-7225
MD5 | 22f0c831444ec02904c35895012b0a71

ABB HMI Hardcoded Credentials

Change Mirror Download
XL-19-009 - ABB HMI Hardcoded Credentials Vulnerability
========================================================================

Identifiers
-----------
XL-19-009
CVE-2019-7225
ABBVU-IAMF-1902004
ABBVU-IAMF-1902011
ABBVU-IAMF-1902002


CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
xen1thLabs - Software Labs


Vulnerability summary
---------------------
The affected ABB components implement hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI.

These identified credentials are:

IdalMaster : idal123
exor : exor
The credentials are sent over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials.


Technical details
-----------------
An attacker can use these credentials to login to any ABB HMI type CP635 to read/write HMI configuration files and reset the device. Combining these actions can push malicious configuration and HMI code to the device.


Affected systems
----------------
CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior
CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior
CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior
CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.3674CP651, order code: 1SAP551100R0001, revision index B1 with BSPUN30 V1.76 and prior
CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior


Solution
--------
Apply the patches or changes recommended by the vendor in their vulnerability advisories:
- ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
- ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch

Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure


Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close