Security
Headlines
HeadlinesLatestCVEs

Headline

ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) Remote Code Execution

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated blind command injection vulnerability. Input passed to several POST parameters is not properly sanitized when writing files, allowing attackers to execute arbitrary shell commands on the system. There is also an off-by-one error in array access that could lead to undefined behavior and potential DoS.

Zero Science Lab
#xss#vulnerability#web#linux#apache#java#intel#php#rce#perl#auth

Title: ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) Remote Code Execution
Advisory ID: ZSL-2025-5903
Type: Local/Remote
Impact: System Access, DoS, Cross-Site Scripting
Risk: (5/5)
Release Date: 09.01.2025

Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated blind command injection vulnerability. Input passed to several POST parameters is not properly sanitized when writing files, allowing attackers to execute arbitrary shell commands on the system. There is also an off-by-one error in array access that could lead to undefined behavior and potential DoS.

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02

Tested On

GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel® Atom™ Processor E3930 @ 1.30GHz
Intel® Xeon® Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0

Vendor Status

[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[03.12.2024] Vendor releases version 3.08.03 to address this issue.
[09.01.2025] Coordinated public security advisory released.

PoC

abb_aspect_rce21.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[2] https://www.cve.org/CVERecord?id=CVE-2024-48839
[3] https://www.cve.org/CVERecord?id=CVE-2024-6516
[4] https://www.cve.org/CVERecord?id=CVE-2024-51550
[5] https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01
[6] https://packetstorm.news/files/id/183448/

Changelog

[09.01.2025] - Initial release
[10.01.2025] - Added reference [6]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]

Related news

ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) Stored Cross-Site Scripting

The ABB BMS/BAS controller suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'host' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated stored cross-site scripting (XSS) vulnerability. This can be exploited by uploading a malicious .txt file containing an XSS payload, which is stored on the server and served back to users. Although the filename is sanitized via the filename POST parameter, the file contents are not inspected or sanitized, allowing attackers to inject arbitrary client-side scripts that execute in the context of any user accessing the infected file or related web page (license.php). To bypass file upload checks, the request must include the Variant string, enabling the upload process for potential exploitation.

ABB Cylon Aspect 3.08.02 (uploadDb.php) Remote Code Execution

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the contents of an uploaded .db file, which is passed to the copyFile.sh script. Although the filename is sanitized, the contents of the .db file are not, allowing attackers to inject malicious commands that are executed on the server.

ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

ABB Cylon Aspect 3.08.02 (syslogUpdate.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through POST parameters, including REMOTE, IP1, IP2, IP3, IP4, and NAME, called by the syslogUpdate.php script.

ABB Cylon Aspect 3.08.02 (aspectMemory.php) Arbitrary Heap Memory Configuration

An authenticated access vulnerability in the aspectMemory.php script of ABB Cylon Aspect BMS/BAS controllers allows attackers to set arbitrary values for Java heap memory parameters (HEAPMIN and HEAPMAX). This configuration is written to /usr/local/aam/etc/javamem. The absence of input validation can lead to system performance degradation, Denial-of-Service (DoS) conditions, and crashes of critical Java applications.