CVE-2019-7229

Name of the Vulnerable Software and Affected Versions ABB CP620 version 1SAP520100R0001 ABB CP620 version 1SAP520100R4001 ABB CP620-WEB version 1SAP520200R0001 ABB CP630 version 1SAP530100R0001 ABB CP630-WEB version 1SAP530200R0001 ABB CP635 version 1SAP535100R0001 ABB CP635 version 1SAP535100R5001 ABB CP635-B version 1SAP535100R2001 ABB CP635-WEB version 1SAP535200R0001 ABB CP651 version 1SAP551100R0001 ABB CP651-WEB version 1SAP551200R0001 ABB CP661 version 1SAP561100R0001 ABB CP661-WEB version 1SAP561200R0001 ABB CP665 version 1SAP565100R0001 ABB CP665-WEB version 1SAP565200R0001 ABB CP676 version 1SAP576100R0001 ABB CP676-WEB version 1SAP576200R0001

Description The issue is related to the lack of technical measures to protect information during the upgrade of software components via USB/SD card or remote initialization using ABB Panel Builder 600 over FTP. This allows a remote attacker to gain unauthorized access to protected information. The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and software components, neither of which implements encryption or authenticity checks against the new firmware HMI software binary files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.