Multiple vulnerabilities in ABB PB610 Panel Builder 600
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2019-7225 CVE-2019-7226 CVE-2019-7227 CVE-2019-7228 CVE-2019-7230 CVE-2019-7232 CVE-2019-7231 |
| CWE-ID | CWE-798 CWE-287 CWE-22 CWE-134 CWE-121 |
| Exploitation vector | Local network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. |
| Vulnerable software Subscribe |
BSP UN31 Server applications / SCADA systems BSP UN30 Server applications / SCADA systems PB610 Panel Builder 600 Server applications / SCADA systems |
| Vendor | ABB |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Use of hard-coded credentials
EUVDB-ID: #VU19010
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7225
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in code, which are IdalMaster:idal123 and exor:exor. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://www.us-cert.gov/ics/advisories/icsa-19-178-01
http://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper Authentication
EUVDB-ID: #VU19011
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7226
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass authentication process.
The vulnerability exists due the IDAL HTTP server CGI interface contains a URL, wich can by used to bypass authentication. An attacker can use this URL to bypass authentication process and gain access to privileged functions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://www.us-cert.gov/ics/advisories/icsa-19-178-01
http://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&a...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Path traversal
EUVDB-ID: #VU19012
Risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7227
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows an attacker to perform directory traversal attacks.
The vulnerability exists due to the IDAL FTP server fails to ensure directory change requests do not change to locations outside of the root FTP directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://www.us-cert.gov/ics/advisories/icsa-19-178-01
http://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&a...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Input validation error
EUVDB-ID: #VU19013
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7228
CWE-ID:
CWE-134 - Use of Externally-Controlled Format String
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass authentication or execute code on the server.
The vulnerability exists due to the IDAL HTTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.
Install updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&a...
http://www.us-cert.gov/ics/advisories/icsa-19-178-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Input validation error
EUVDB-ID: #VU19014
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7230
CWE-ID:
CWE-134 - Use of Externally-Controlled Format String
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass authentication or execute code on the server.
The vulnerability exists due to the IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&a...
http://www.us-cert.gov/ics/advisories/icsa-19-178-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Stack-based buffer overflow
EUVDB-ID: #VU19015
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7232
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows an attacker to execute arbitrary code on the target server.
The vulnerability exists due to a boundary error when a large host header is sent in a HTTP request to the IDAL HTTP server. An unauthenticated attacker can submit a Host header value of 2047 bytes or more to overflow the buffer and overwrite the SEH address, which can then be leveraged to execute attacker-controlled code on the server.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&a...
http://www.us-cert.gov/ics/advisories/icsa-19-178-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Stack-based buffer overflow
EUVDB-ID: #VU19016
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7231
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows an attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when a long string is sent to the IDAL FTP server. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that terminates the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBSP UN31: before 2.31
BSP UN30: before 2.31
PB610 Panel Builder 600: 1.91 - 2.8.0.367
External linkshttp://search-ext.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&a...
http://www.us-cert.gov/ics/advisories/icsa-19-178-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
