Vulnerability Description
The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Abb | Cp620 Firmware | <= 1.76 |
| Abb | Cp620 | - |
| Abb | Cp620-Web Firmware | <= 1.76 |
| Abb | Cp620-Web | - |
| Abb | Cp630 Firmware | <= 1.76 |
| Abb | Cp630 | - |
| Abb | Cp630-Web Firmware | <= 1.76 |
| Abb | Cp630-Web | - |
| Abb | Cp635 Firmware | <= 1.76 |
| Abb | Cp635 | - |
| Abb | Cp635-B Firmware | <= 1.76 |
| Abb | Cp635-B | - |
| Abb | Cp635-Web Firmware | <= 1.76 |
| Abb | Cp635-Web | - |
| Abb | Pb610 Firmware | >= 1.91, <= 2.8.0.3674 |
| Abb | Pb610 | - |
| Abb | Cp651-Web Firmware | <= 1.76 |
| Abb | Cp651-Web | - |
| Abb | Cp661 Firmware | <= 1.76 |
| Abb | Cp661 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/153397/ABB-HMI-Hardcoded-Credentials.htmlThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2019/Jun/38Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/108922Third Party AdvisoryVDB Entry
- https://www.darkmatter.ae/xen1thlabs/abb-hmi-hardcoded-credentials-vulnerabilityExploitPatchThird Party Advisory
- http://packetstormsecurity.com/files/153397/ABB-HMI-Hardcoded-Credentials.htmlThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2019/Jun/38Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/108922Third Party AdvisoryVDB Entry
- https://www.darkmatter.ae/xen1thlabs/abb-hmi-hardcoded-credentials-vulnerabilityExploitPatchThird Party Advisory
FAQ
What is CVE-2019-7225?
CVE-2019-7225 is a vulnerability with a CVSS score of 8.8 (HIGH). The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to f...
How severe is CVE-2019-7225?
CVE-2019-7225 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-7225?
Check the references section above for vendor advisories and patch information. Affected products include: Abb Cp620 Firmware, Abb Cp620, Abb Cp620-Web Firmware, Abb Cp620-Web, Abb Cp630 Firmware.