CVE-2019-7229 Information

Description

The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: \Utilization of USB/SD Card to flash the device\ and \Remote provisioning process via ABB Panel Builder 600 over FTP.\ Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.

CVSS Vector

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Reference

http://packetstormsecurity.com/files/153387/ABB-HMI-Missing-Signature-Verification.html http://seclists.org/fulldisclosure/2019/Jun/34 https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch https://www.darkmatter.ae/xen1thlabs/abb-hmi-absence-of-signature-verification-vulnerability-xl-19-005/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.3