ABB Working to Fix Safety Gateway Holes

Tuesday, December 18, 2018 @ 03:12 PM gHale

ABB is still working on a fix for a missing authentication for critical functions and a persistent cross-site scripting vulnerability in the ABB GATE E1 and the ABB GATE E2, a security researcher said.

The ABB GATE E1/E2 Pluto Gateway units provide two-way communication between a Pluto Safety PLC and other field buses.

RELATED STORIES
Medtronic Mitigation Plan for Devices
Schneider Upgrade for Electric GUIcon Hole
Siemens Fixes Input Validation Holes
Geutebrück Updates Hole in IP Cameras

Exploitation of these vulnerabilities may allow an attacker to compromise the availability of the device or compromise the web browser of an administrator visiting the web-portal. These findings include a total lack of authentication for the administrative interfaces on the device, as well as an unauthenticated persistent cross-site scripting vulnerability, said Applied Risk Security Researcher, Nelson Berg, who discovered the issues. Applied Risk has worked alongside the manufacturer in the responsible disclosure process.

The device is commonly used in a range of industries such as oil and gas, manufacturing, chemicals, and power.

Ion one vulnerability, the devices do not allow authentication to be configured on its administrative telnet/web interface. Access to the administrative interface allows attackers to compromise the availability of the device, by contiguously resetting the device and the integrity/confidentiality of the device, by modifying/reading registers and allowing for the change of configuration such as the device’s IP address.

Applied Risk calculated a CVSS v3 base score of 9.8 for the missing authentication for critical functions vulnerability.

In the other issue, it is possible to inject a HTML/JavaScript payload via both the administrative HTTP and telnet interfaces that will be rendered when viewing the device’s web-portal. This can compromise the web browser of an administrator visiting the web-portal.

For the persistent cross-site scripting issue, there is a CVSS v3 base score of 7.1.

“Because no authentication functionality is implemented on any administrative interface, attackers are able to compromise the availability of the device, by continuously resetting the device and the integrity/confidentiality of the device, by modifying/reading registers and allowing for the change of configuration such as the device’s IP address,” Berg said in a post.

“By inserting a HTML/JavaScript payload in any of the device’s properties which are displayed (such as the description or PNIO Device name) it is possible to display/execute HTML/JavaScript in the browser of visitors,” he said. “Given the context of the device, this will most commonly be the plant operators.”

No official patch has been released for GATE-E1 or Gate-E2 devices.



Leave a Reply

You must be logged in to post a comment.