CVE-2021-35527
📋 TL;DR
This CVE describes a password autocomplete vulnerability in Hitachi ABB Power Grids eSOMS web application that allows attackers to access user credentials stored by browsers. It affects eSOMS version 6.3 and prior versions. The vulnerability enables credential theft when attackers gain physical or remote access to user workstations.
💻 Affected Systems
- Hitachi ABB Power Grids eSOMS
📦 What is this software?
Esoms by Hitachienergy
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative credentials leading to complete system compromise, data exfiltration, and potential industrial control system manipulation.
Likely Case
Attackers steal user credentials through phishing, malware, or physical access, enabling unauthorized access to the eSOMS system.
If Mitigated
Credential theft is prevented through proper browser security settings and access controls, limiting attacker impact.
🎯 Exploit Status
Exploitation requires access to the user's browser or workstation; no special tools needed beyond browser inspection capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.4 or later
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A0957&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download patch from vendor advisory. 2. Backup current installation. 3. Apply patch following vendor instructions. 4. Restart application services. 5. Verify fix implementation.
🔧 Temporary Workarounds
Disable Browser Password Autocomplete
allConfigure browsers to not save passwords for the eSOMS application
Browser-specific: Disable password saving in security settings
Add autocomplete='off' to Password Field
allModify web application to disable autocomplete on password fields
<input type='password' autocomplete='off'>
🧯 If You Can't Patch
- Implement strict workstation access controls and screen locking policies
- Use browser group policies to disable password saving for the eSOMS URL
🔍 How to Verify
Check if Vulnerable:
Check if password field in eSOMS login page has autocomplete='off' attribute; if missing, vulnerable.Check Version:
Check eSOMS version in application interface or configuration files; should be 6.4 or higher.Verify Fix Applied:
Verify password field now includes autocomplete='off' and browser doesn't prompt to save passwords.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from new locations
- Unusual access patterns for specific users
Network Indicators:
- Unexpected authentication requests
- Traffic from unauthorized IP addresses
SIEM Query:
source="eSOMS" AND (event_type="authentication" AND result="failure") | stats count by user, src_ip