Headline
ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution
The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of ‘rundeploy.sh’ script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.
Title: ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution
Advisory ID: ZSL-2024-5891
Type: Local/Remote
Impact: Security Bypass, DoS
Risk: (5/5)
Release Date: 30.12.2024
Summary
ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.
Description
The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of ‘rundeploy.sh’ script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Tested On
GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel® Atom™ Processor E3930 @ 1.30GHz
Intel® Xeon® Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vendor Status
[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[30.12.2024] Coordinated public security advisory released.
PoC
abb_aspect_rce19.txt
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[2] https://www.cve.org/CVERecord?id=CVE-2024-48840
[3] https://packetstorm.news/files/id/183307/
Changelog
[30.12.2024] - Initial release
[02.01.2025] - Added reference [3]
Contact
Zero Science Lab
Web: https://www.zeroscience.mk
e-mail: [email protected]
Related news
The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.