← Advisories

ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS

Critical
Advisory ID
ZSL-2025-5902
Release Date
09 January 2025
Vendor
ABB Ltd. - https://www.global.abb
Affected Version
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio, Firmware: <=3.08.02
CVE
CVE-2024-48844
Tested On
GNU/Linux 3.15.10 (armv7l), GNU/Linux 3.10.0 (x86_64), GNU/Linux 2.6.32 (x86_64), Intel(R) Atom(TM) Processor E3930 @ 1.30GHz, Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz, PHP/7.3.11, PHP/5.6.30, PHP/5.4.16, PHP/4.4.8, PHP/5.3.3, AspectFT Automation Application Server, lighttpd/1.4.32, lighttpd/1.4.18, Apache/2.2.15 (CentOS), OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64), OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode), ErgoTech MIX Deployment Server 2.0.0
Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

A vulnerability was identified in a PHP script where an off-by-one error in array access could lead to undefined behavior and potential DoS. The issue arises in a loop that iterates over an array using a < condition, allowing access to an out-of-bounds index. This can trigger errors or unexpected behavior when processing data, potentially crashing the application. Successful exploitation of this vulnerability can lead to a crash or disruption of service, especially if the script handles large data sets. This issue can be triggered via the rowCount POST parameter in the Electronic Security Control device update script.

Proof of Concept
abb_aspect_obo2.txtTXT
Disclosure Timeline
21.04.2024Vulnerability discovered.
22.04.2024Vendor contacted.
22.04.2024Vendor responds.
02.05.2024Working with the vendor.
03.12.2024Vendor releases version 3.08.03 to address this issue.
09.01.2025Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch
[2]https://www.cve.org/CVERecord?id=CVE-2024-48844
[3]https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/390818
[5]https://packetstorm.news/files/id/183447/
[6]https://www.exploit-db.com/exploits/52218
Changelog
09.01.2025Initial release
10.01.2025Added reference [4] and [5]
09.05.2025Added reference [6]