CVE-2019-7226

ABB IDAL HTTP Server Authentication Bypass

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session in an authenticated state and returns the session ID along with what may be the username and cleartext password of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged operations such as restarting the service with /cgi/restart. A GET request to /cgi/loginDefaultUser may result in "1 #S_OK IDALToken=532c8632b86694f0232a68a0897a145c admin admin" or a similar response.

La interfaz CGI del servidor HTTP ABB IDAL contiene una URL que permite a un atacante no identificado eludir la autenticación y obtener acceso a funciones privilegiadas. Específicamente, / cgi / loginDefaultUser crea una sesión en un estado autenticado y devuelve el ID de sesión junto con lo que puede ser el nombre de usuario y la contraseña de texto simple del usuario. Un atacante puede proporcionar un valor IDALToken en una cookie, lo que les permitirá realizar operaciones privilegiadas, como reiniciar el servicio con / cgi / restart. Una solicitud GET para / cgi / loginDefaultUser puede dar como resultado "1 #S_OK IDALToken = 532c8632b86694f0232a68a0897a145c admin admin" o una respuesta similar.

The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session in an authenticated state and return the session ID along with the username and plaintext password of the user. An attacker can then login with the provided credentials or supply the string 'IDALToken=......' in a cookie which will allow them to perform privileged operations such as restarting the service with /cgi/restart.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-01-30 CVE Reserved
2019-06-21 CVE Published
2024-07-25 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (4)

URL	Tag	Source
http://www.securityfocus.com/bid/108886	Third Party Advisory

URL	Date	SRC
http://packetstormsecurity.com/files/153402/ABB-IDAL-HTTP-Server-Authentication-Bypass.html	2024-08-04
http://seclists.org/fulldisclosure/2019/Jun/39	2024-08-04
https://www.darkmatter.ae/xen1thlabs/abb-idal-http-server-authentication-bypass-vulnerability-xl-19-010	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Abb Search vendor "Abb"	Pb610 Panel Builder 600 Firmware Search vendor "Abb" for product "Pb610 Panel Builder 600 Firmware"	>= 1.91 <= 2.8.0.367 Search vendor "Abb" for product "Pb610 Panel Builder 600 Firmware" and version " >= 1.91 <= 2.8.0.367"	-	Affected	in	Abb Search vendor "Abb"	Pb610 Panel Builder 600 Search vendor "Abb" for product "Pb610 Panel Builder 600"	-	-	Safe