ABB HMI Missing Signature Verification

`XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability  
========================================================================  
  
Identifiers  
-----------  
XL-19-005  
CVE-2019-7229  
ABBVU-IAMF-1902003  
ABBVU-IAMF-1902012  
  
  
CVSS Score  
----------  
8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)  
  
  
Affected vendor  
---------------  
ABB (new.abb.com)  
  
  
Credit  
------  
xen1thLabs - Software Labs  
  
  
Vulnerability summary  
---------------------  
ABB HMI uses two different transmission methods to upgrade its software components:  
  
- Utilization of USB/SD Card to flash the device  
- Remote provisioning process via ABB Panel Builder 600 over FTP  
  
Neither of these transmission methods implement any form of encryption or authenticity checks against the new HMI software binary files.  
  
  
Technical details  
-----------------  
Neither of the update mechanisms implement encryption or authentication checks on the new binaries of the HMI Software components. An attacker could therefore take over the HMI by manipulating these .dll or .exe files to execute arbitrary code on the system.  
  
The following Windows CE ARM executable was pushed to the HMI target via FTP and replaced an already existing binary resulting in remote code execution.  
  
  
Proof of concept  
----------------  
```  
// Code Snippet  
  
#pragma comment(linker, "/ENTRY:ChangedEntry /NODEFAULTLIB /SUBSYSTEM:WINDOWSCE")  
  
void ChangedEntry()  
  
{  
  
printf("Remote Code Execution!");  
  
LPCWSTR buff = L"Software Labs Remote Code Execution Proof of Concept";  
  
LPCWSTR a = L"RCE Vuln";  
  
MessageBox(0, buff, a, MB_OK | MB_ICONQUESTION);  
  
}  
```  
  
  
Affected systems  
----------------  
CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior  
CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior  
CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior  
CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior  
CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior  
CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior  
CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior  
CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior  
CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior  
CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior  
CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior  
CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior  
CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior  
CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior  
CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior  
CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior  
CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior  
  
  
Solution  
--------  
ABB has not changed this, relying instead on password protection:  
- ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch  
- ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch  
  
  
Disclosure timeline  
-------------------  
04/02/2019 - Contacted ABB requesting disclosure coordination  
05/02/2019 - Provided vulnerability details  
05/06/2019 - Patch available  
17/06/2019 - xen1thLabs public disclosure  
  
  
`