ABB Cylon Aspect 3.08.01 (pupDumpStats.php) Information Disclosure
Title: ABB Cylon Aspect 3.08.01 (pupDumpStats.php) Information Disclosure
Advisory ID: ZSL-2024-5876
Type: Local/Remote
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 08.12.2024
Firmware: <=3.08.01
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[07.08.2024] Vendor released version 3.08.02 to address this issue.
[11.12.2024] Coordinated public security advisory released.
[2] https://packetstorm.news/files/id/183077/
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2024-5876
Type: Local/Remote
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 08.12.2024
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. The AAM PUP (Primary Utility Protocol) is a proprietary protocol supported by certain building management systems, such as the ABB MATRIX-2 series controllers. It is used for communication and integration with various utility devices within a building's control system. This protocol supports supervisory functions like energy management, alarm and event handling, historical trending, and scheduling.Description
The ABB Cylon ASPECT system contains an unauthenticated information disclosure vulnerability in the pupDumpStats.php script. When this endpoint is accessed, it triggers the download of a sensitive debug file located at /usr/local/aam/var/pupdbg.dump. This file may contain internal system information, including protocol states, transaction logs, and system mappings. The vulnerability arises from an Insecure Direct Object Reference (IDOR) issue, where the script does not validate or authenticate the requester before allowing access to the debug file. Exploiting this flaw enables an attacker to retrieve sensitive operational data, potentially aiding in further exploitation of the system.Vendor
ABB Ltd. - https://www.global.abbAffected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.01
Tested On
GNU/Linux 3.15.10 (armv7l)GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vendor Status
[21.04.2024] Vulnerability discovered.[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[07.08.2024] Vendor released version 3.08.02 to address this issue.
[11.12.2024] Coordinated public security advisory released.
PoC
abb_aspect_info6.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch[2] https://packetstorm.news/files/id/183077/
Changelog
[11.12.2024] - Initial releaseContact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
