Information of security of network of more whole world all is in Www.easyaq.com of net of E safety official
The researcher of ERNW of company of dispatch Germany security discovered E safety on June 13, the entrance guard communication of ABB of Swiss technology company is put in many serious flaw in the system.
Incidence
Easy the product that suffers attack is ABB IP gateway (also sell with Busch-Jaeger brand at the same time) , it is a component of solution of communication of ABB entrance guard. This kind of solution includes frequency and video interphone, dactylogram to read take implement etc.
ABB expresses in the safe announcement that the near future issues, moving firmware version is put in a few potential serious flaw in the 3.39 IP gateway with earlier version.
The main effect of IP gateway is to be network of interphone, this locality and the shift that can be used at long-range monitoring and control system to apply a program to provide link.
Put in the many flaw such as long-range code infuse
Researcher discovers among them a flaw is flaw of long-range code infuse, the aggressor that allows to visit this locality network controls end equipment. This flaw affects this locality to configure Web server, aggressor can send tailor-made information to exploit this loophole to the system.
One, flaw of incorrect identity test and verify (CVE-2017-7931)
Allow aggressor to bypass identity test and verify, the visit configures the page on file and Web server.
2, flaw of password of memory of proclaimed in writing (CVE-2017-7933)
After aggressor logins successfully can get administrator password from inside the browser Cookie of the user, but premise is, aggressor must cast the first stone the client carries a system, extract Cookie of password of proclaimed in writing in order to succeed.
3, the request that cross a station forges flaw (CVE-2017-7906)
Allow aggressor to execute a variety of operations with the identity of lawful user.
These attack can come true remotely, but ask the user is alternant normally, click webpage of ill will of link, visit to wait for example.
ABB expresses, have not discover the circumstance that these flaw use at present, and have not publish flaw detailed information at present.
Already released firmware to update
ABB company already released firmware version 3.4 rehabilitate these flaw, offerred a few solutions to alleviate attack is minatory, among them the mainest proposal is, hope user ensures Web server cannot be visited through Internet directly.
