Vulners
Lucene search
ABB IDAL HTTP Server Authentication Bypass
🗓️ 21 Jun 2019 00:00:00Reported by Eldar MarcussenType 
packetstorm🔗 packetstormsecurity.com👁 116 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | The vulnerability of the /cgi/loginDefaultUser component of the CGI HTTP-server interface of the IDAL user interface design tool PB610 Panel Builder 600 (SAP500900R0101) allows a attacker to escalate their privileges. | 8 Jul 201900:00 | – | bdu_fstec |
 | CVE-2019-7226 | 12 May 202013:27 | – | circl |
 | ABB PB610 IDAL HTTP server authentication vulnerability | 28 Jun 201900:00 | – | cnvd |
 | CVE-2019-7226 | 27 Jun 201915:52 | – | cve |
 | CVE-2019-7226 | 27 Jun 201915:52 | – | cvelist |
 | EUVD-2019-16770 | 7 Oct 202500:30 | – | euvd |
 | ABB PB610 Panel Builder 600 | 27 Jun 201900:00 | – | ics |
 | CVE-2019-7226 | 27 Jun 201916:15 | – | nvd |
 | Authentication flaw | 27 Jun 201916:15 | – | prion |
 | PT-2019-2565 · Abb · Abb Idal | 13 Jun 201900:00 | – | ptsecurity |
10
`XL-19-010 - ABB IDAL HTTP Server Authentication Bypass Vulnerability
========================================================================
Identifiers
-----------
XL-19-010
CVE-2019-7226
ABBVU-IAMF-1902005
CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected vendor
---------------
ABB (new.abb.com)
Credit
------
Eldar Marcussen - xen1thLabs - Software Labs
Vulnerability summary
---------------------
The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions.
Technical details
-----------------
In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session in an authenticated state and return the session ID along with the username and plaintext password of the user. An attacker can then login with the provided credentials or supply the string 'IDALToken=......' in a cookie which will allow them to perform privileged operations such as restarting the service with /cgi/restart.
Proof of concept
----------------
```
GET http://localhost:81/cgi/loginDefaultUser
````
1
#S_OK
IDALToken=532c8632b86694f0232a68a0897a145c
admin
adminpass
Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367
Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Jun 2019 00:00Current
EPSS0.0526