CVE Vulnerability

CVE-2019-7225

The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components.

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.5 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://packetstormsecurity.com/files/153397/ABB-HMI-Hardcoded-Credentials.html Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2019/Jun/38 Mailing List Third Party Advisory
https://www.darkmatter.ae/xen1thlabs/abb-hmi-hardcoded-credentials-vulnerability-xl-19-009/ Exploit Patch
http://www.securityfocus.com/bid/108922 Third Party Advisory VDB Entry
Configurations

Configuration 1
Information

Published : 2019-06-27 05:15

Updated : 2019-10-09 11:51

NVD link : CVE-2019-7225

Mitre link : CVE-2019-7225

Products Affected

Abb

Pb610

CWE
CWE-798