← Advisories

ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdmin

Critical

Advisory ID

ZSL-2024-5830

Release Date

26 September 2024

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.07.01

CVE

CVE-2024-4007

Tested On

GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode), phpMyAdmin 2.11.9

Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.

Proof of Concept

abb_aspect_hardcoded1.txtTXT

Disclosure Timeline

21.04.2024Vulnerability discovered.

22.04.2024Vendor contacted.

22.04.2024Vendor responds.

02.05.2024Working with the vendor.

01.07.2023Vendor releases version 3.07.02 to address this issue.

26.09.2024Public security advisory released.

Credits