RVD#3326: Hardcoded default credentials on IRC 5 OPC Server

[rvd-bot]

id: 3326
title: 'RVD#3326: Hardcoded default credentials on IRC 5 OPC Server'
type: exposure
description: The IRC5 family with UAS service enabled comes by default with credentials
  that can be found on publicly available manuals. ABB considers this a well documented
  functionality that helps customer set up however, out of our research, we found
  multiple production systems running these exact default credentials and consider
  thereby this an exposure that should be mitigated. Moreover, future deployments
  should consider that these defaults should be forbidden (user should be forced to
  change them).
cwe: CWE-255
cve: CVE-2020-10287
keywords:
- IRC5, FTP, Credentials
system: IRB140, IRC5,
vendor: ABB
severity:
  rvss-score: 10.0
  rvss-vector: RVSS:1.0/AV:RN/AC:L/PR:N/UI:N/Y:M/S:U/C:H/I:N/A:H/H:U/
  severity-description: Critical
  cvss-score: 9.1
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
links:
- https://nvd.nist.gov/vuln/detail/CVE-2010-2966
- https://github.com/aliasrobotics/RVD/issues/3326
flaw:
  phase: testing
  specificity: general-issue
  architectural-location: Platform code
  application: OPC Server
  subsystem: UI:Login
  package: N/A
  languages: None
  date-detected: 2020-05-18
  detected-by: Alfonso Glera, Victor Mayoral Vilches (Alias Robotics)
  detected-by-method: testing dynamic, Browser.
  date-reported: '2020-07-15'
  reported-by: Victor Mayoral Vilches
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/3326
  reproducibility: Always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe: ''
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null