← Advisories

ABB Cylon Aspect 3.07.00 (networkDiagAjax.php) Remote Code Execution

Critical
Advisory ID
ZSL-2024-5829
Release Date
24 September 2024
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.07.00
CVE
N/A
Tested On
GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'host' HTTP GET parameter called by networkDiagAjax.php script.

Proof of Concept
abb_aspect_rce2.txtTXT
Disclosure Timeline
10.05.2022Vulnerability discovered.
21.04.2024Vulnerability re-discovered.
01.06.2023Vendor released version 3.07.01 to address this issue.
24.09.2024Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic (2024)
Vulnerability discovered by Prism Infosec (2022)
References
[1]https://prisminfosec.com/privilege-escalation-and-rce-vulnerabilities-for-multiple-abb-appliances-aspect-matrix-nexus-cve-2023-0635-cve-2023-0636/
[2]https://search.abb.com/library/Download.aspx?DocumentID=2CKA000073B5403&LanguageCode=en&DocumentPartId=&Action=Launch
[3]https://packetstormsecurity.com/files/181827/ABB-Cylon-Aspect-3.07.00-Remote-Code-Execution.html
[4]https://cxsecurity.com/issue/WLB-2024090040
Changelog
24.09.2024Initial release
25.09.2024Added reference [3]
23.10.2024Added reference [4]