ABB Cylon Aspect 3.08.02 (editOverride.php) Authentication Bypass MIX Override
Title: ABB Cylon Aspect 3.08.02 (editOverride.php) Authentication Bypass MIX Override
Advisory ID: ZSL-2024-5884
Type: Local/Remote
Impact: Manipulation of Data, DoS, Security Bypass
Risk: (5/5)
Release Date: 16.12.2024
Firmware: <=3.08.02
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[16.12.2024] Coordinated public security advisory released.
[2] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[3] https://www.cve.org/CVERecord?id=CVE-2024-48840
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48840
[5] https://ergotech.com/mix
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2024-5884
Type: Local/Remote
Impact: Manipulation of Data, DoS, Security Bypass
Risk: (5/5)
Release Date: 16.12.2024
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.Description
The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.Vendor
ABB Ltd. - https://www.global.abbAffected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.02
Tested On
GNU/Linux 3.15.10 (armv7l)GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vendor Status
[21.04.2024] Vulnerability discovered.[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[16.12.2024] Coordinated public security advisory released.
PoC
abb_aspect_auth1.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5879.php[2] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[3] https://www.cve.org/CVERecord?id=CVE-2024-48840
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48840
[5] https://ergotech.com/mix
Changelog
[16.12.2024] - Initial releaseContact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
