CVE-2019-7225: ABB HMI Hardcoded Credentials ≈ Packet Storm

XL-19-009 - ABB HMI Hardcoded Credentials Vulnerability========================================================================Identifiers-----------XL-19-009CVE-2019-7225ABBVU-IAMF-1902004ABBVU-IAMF-1902011ABBVU-IAMF-1902002CVSS Score----------8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Affected vendor---------------ABB (new.abb.com)Credit------xen1thLabs - Software LabsVulnerability summary---------------------The affected ABB components implement hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI.These identified credentials are:IdalMaster : idal123exor : exorThe credentials are sent over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials.Technical details-----------------An attacker can use these credentials to login to any ABB HMI type CP635 to read/write HMI configuration files and reset the device. Combining these actions can push malicious configuration and HMI code to the device.Affected systems----------------CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and priorCP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and priorCP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and priorCP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and priorCP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and priorCP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and priorCP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and priorCP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and priorCP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and priorPB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.3674CP651, order code: 1SAP551100R0001, revision index B1 with BSPUN30 V1.76 and priorCP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and priorCP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and priorCP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and priorCP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and priorCP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and priorCP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and priorCP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and priorSolution--------Apply the patches or changes recommended by the vendor in their vulnerability advisories:  - ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch  - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch  - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=LaunchDisclosure timeline-------------------04/02/2019 - Contacted ABB requesting disclosure coordination05/02/2019 - Provided vulnerability details05/06/2019 - Patch available17/06/2019 - xen1thLabs public disclosure