← Advisories

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Project Download

Critical
Advisory ID
ZSL-2024-5855
Release Date
30 October 2024
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.08.01
CVE
N/A
Tested On
GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerable to unauthorized project file disclosure. An unauthenticated remote attacker can issue a GET request abusing the DownloadProject servlet to download sensitive project files. The jsonProxy.php script bypasses authentication by proxying requests to localhost (AspectFT Automation Application Server), granting remote attackers unauthorized access to internal Java servlets. This exposes potentially sensitive project data and configuration details without requiring authentication.

Proof of Concept
abb_aspect_config2.txtTXT
Disclosure Timeline
21.04.2024Vulnerability discovered.
22.04.2024Vendor contacted.
22.04.2024Vendor responds.
02.05.2024Working with the vendor.
07.08.2024Vendor released version 3.08.02 to address this issue.
30.10.2024Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2024-5853
[2]https://packetstormsecurity.com/files/182403/
Changelog
30.10.2024Initial release