CVE-2019-7226

Name of the Vulnerable Software and Affected Versions ABB IDAL (affected versions not specified)

Description The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. Specifically, the "/cgi/loginDefaultUser" API endpoint creates a session in an authenticated state and returns the session ID along with what may be the username and cleartext password of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged operations such as restarting the service with the "/cgi/restart" API endpoint.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the "/cgi/loginDefaultUser" API endpoint until a patch is available. Restrict access to the "/cgi/restart" API endpoint to minimize the risk of exploitation. Avoid using the IDALToken value in cookies until the issue is resolved.