|CERT-In Vulnerability Note
Multiple Vulnerabilities in ABB IP-Gateway
Original Issue Date:June 13, 2018
Severity Rating: HIGH
- IP Gateway Versions 3.39 and prior
Multiple Vulnerabilities have been reported in ABB-IP Gateway which could allow a remote attacker to gain unauthorized access, obtain sensitive information without authentication and launch impersonated requests.
1. Authentication Bypass Vulnerability
This vulnerability exists due to missing session management. An attacker could exploit this vulnerability by accessing a specific URL on the web server.
Successful exploitation of this vulnerability could allow an attacker to access the configuration files and application pages without authentication.
2. Cross-site Request Forgery Vulnerability
This vulnerability exists as the web server insufficiently verify authenticated user requests. Successful exploitation of this vulnerability could allow an attacker to allow an attacker to launch a request impersonating an authenticated user.
3. Information Disclosure Vulnerability
This vulnerability exists as some configuration files contain passwords stored in plain-text. An attacker could exploit this vulnerability by extracting the cookies from a users browser.
Successful exploitation of this vulnerability could allow an attacker to allow an attacker to gain unauthorized access.
Note: The attacker must first compromise the client system to successfully extract the clear-text password cookie.
- Access IP-Gateways local configuration webserver in a browser┐s incognito mode to allow deletion of cookies.
- Access the IP-Gateway┐s local configuration webserver exclusively within the local network and not over the Internet as the IPGW does not support a TLS protected connection (HTTPS).
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- Use VPN connection to the IP-Gateways local network to access the configuration webserver remotely.
Upgrade to the latest firmware version as mentioned in the vendor advisory
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003