ABB Door Communication Systems exposed serious flaws

Researchers at the German security company ERNW found that there are several critical flaws in the access control system of Swiss industrial technology company ABB.

The vulnerable product is the ABB IP gateway (also sold under the Busch-Jaeger brand), which is a component of ABB’s access control communications solution. Such solutions include audio and video intercoms, fingerprint readers, and more. The primary role of the IP gateway is to provide connectivity for walkie-talkies, local networks, and mobile applications that can be used to monitor and control the system remotely.

ABB recently stated in its security bulletin that there are several potentially severe vulnerabilities in IP gateways running firmware version 3.39 and earlier.

One of the vulnerabilities discovered by the researchers was a remote code injection vulnerability that allowed attackers on the local network to control the target device. The vulnerability affects the locally configured Web server, and an attacker can send specially crafted information to exploit the vulnerability.

• Improper authentication (CVE-2017-7931)
  Missing session management made it possible for a malicious user to be able to access the configuration files and application pages without authentication.
• Plaintext storage of a password (CVE-2017-7933)
  It is possible to read administrators password from the cookie in a users browser after successful login. The attacker must first compromise the client system in order to successfully extract the clear-text password cookie.
• Cross-site request forgery (CVE-2017-7906)
  The product is vulnerable to cross-site request forgery attacks. The web server does not sufficiently verify that a request was performed by the authenticated user. This may allow for an attacker to launch a request impersonating that user.

ABB has released firmware version 3.40 to fix these vulnerabilities and provide some solutions to mitigate attack threats, the most important of which is that users are expected to ensure that Web servers cannot be accessed directly through the Internet.