← Advisories

ABB Cylon Aspect 3.08.02 (editOverride.php) Authentication Bypass MIX Override

Critical
Advisory ID
ZSL-2024-5884
Release Date
16 December 2024
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.08.02
CVE
CVE-2024-48840
Tested On
GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode), ErgoTech MIX Deployment Server 2.0.0
Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication by setting the 'content' POST parameter. This enables an attacker to inject arbitrary configuration overrides, potentially leading to unauthorized changes and compromising system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties file. This file contains critical configuration overrides such as enabling overrides (Override.enabled=true) and setting specific properties like debug.level=1. The runjava.VARIANT* script then sources this file during execution, applying the overrides when the system reboots or the application restarts. This allows attackers to manipulate critical system settings, potentially causing performance degradation, introducing security risks, or resulting in a denial of service scenario.

Proof of Concept
abb_aspect_auth1.txtTXT
Disclosure Timeline
21.04.2024Vulnerability discovered.
22.04.2024Vendor contacted.
22.04.2024Vendor responds.
02.05.2024Working with the vendor.
03.12.2024Vendor releases version 3.08.03 to address this issue.
16.12.2024Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2024-5879
[2]https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[3]https://www.cve.org/CVERecord?id=CVE-2024-48840
[4]https://nvd.nist.gov/vuln/detail/CVE-2024-48840
[5]https://ergotech.com/mix
[6]https://packetstorm.news/files/id/183179/
[7]https://exchange.xforce.ibmcloud.com/vulnerabilities/390816
Changelog
16.12.2024Initial release
23.12.2024Added reference [6]
10.01.2025Added reference [7]