ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdmin

Title: ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdmin
Advisory ID: ZSL-2024-5830
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 26.09.2024
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.
Description
The ABB BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.01
Tested On
GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
phpMyAdmin 2.11.9
Vendor Status
[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[01.07.2023] Vendor releases version 3.07.02 to address this issue.
[26.09.2024] Public security advisory released.
PoC
abb_aspect_hardcoded1.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
Reported by DIVD
References
[1] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&LanguageCode=en&DocumentPartId=&Action=Launch
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4007
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-4007
[4] https://packetstormsecurity.com/files/181853/ABB-Cylon-Aspect-3.07.01-Hard-Coded-Credentials.html
[5] https://cxsecurity.com/issue/WLB-2024090039
Changelog
[26.09.2024] - Initial release
[23.10.2024] - Added reference [5]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk