← Advisories

ABB Cylon Aspect 3.08.02 (fileSystemUpdate.php) Remote Guest2Root Exploit

Critical

Advisory ID

ZSL-2024-5871

Release Date

08 December 2024

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.08.02

CVE

CVE-2024-48839

Tested On

GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller is vulnerable to code execution and sudo misconfiguration flaws. An authenticated remote code execution vulnerability in the firmware update mechanism allows an attacker with valid credentials to escalate privileges and execute commands as root. The process involves uploading a crafted .aam file through fileSystemUpdate.php, which is then moved to /tmp and executed by fileSystemUpdateExecute.php. This script leverages sudo to run the upgrade-bundle.sh script, enabling the attacker to bypass input validation checks and execute arbitrary code, leading to full system compromise and unauthorized root access.

Proof of Concept

aamroot.pyTXT

Disclosure Timeline

21.04.2024Vulnerability discovered.

22.04.2024Vendor contacted.

22.04.2024Vendor responds.

02.05.2024Working with the vendor.

03.12.2024Vendor releases version 3.08.03 to address this issue.

08.12.2024Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References