Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ABB Patches Many Vulnerabilities in HMI Products

Swiss industrial tech company ABB has patched a dozen vulnerabilities, including serious issues, in some of its human-machine interface (HMI) products.

Swiss industrial tech company ABB has patched a dozen vulnerabilities, including serious issues, in some of its human-machine interface (HMI) products.

Researchers at xen1thLabs, the labs unit of UAE-based cybersecurity firm DarkMatter, discovered 12 vulnerabilities that can be used to bypass authentication, execute arbitrary code, and gain access to information.

The vulnerabilities impact CP635 and CP651 control panels used as HMIs for ABB automation systems, and the PB610 Panel Builder 600 engineering tool for designing HMI applications.ABB HMI

xen1thLabs has described the security holes in 8 advisories and ABB has covered the flaws across 3 advisories (ABB CP635 HMI, ABB PB610, ABB CP651 HMI).

The security holes are related to outdated software components with known vulnerabilities, hardcoded credentials that provide admin access, weaknesses in software update mechanisms, a path traversal that allows access to folders on the FTP server, denial-of-service (DoS) issues, and code execution flaws that can be exploited by unauthenticated attackers by sending specially crafted requests.

“An attacker who successfully exploited this vulnerability could prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node or insert and run arbitrary code in an affected system node,” the vendor wrote in the advisories covering the control panel flaws.

Learn More About HMI Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

If a vulnerable system is connected to a network, an attacker with access to the network can exploit the flaws. If the system is isolated from an organization’s network, launching an attack requires physical access to the affected device.

“Recommended practices include that process control sys-tems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed,” ABB said.

Advertisement. Scroll to continue reading.

According to the vendor, there is no evidence that the details of the vulnerabilities had been made public before their official disclosure or that any of them had been exploited for malicious purposes.

The advisories from xen1thLabs show that the vulnerabilities were reported to ABB in early February and patches were released in early June. The advisories include both technical details and proof-of-concept (PoC) code.

Related: Serious Flaws Found in ABB Safety PLC Gateways

Related: Critical Flaws Expose ABB Door Communication Systems to Attacks

Related: ABB to Patch Code Execution Flaw in HMI Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.