Source
Zero Science Lab
An unauthenticated vulnerability in ABB Cylon Aspect BMS/BAS allows the download of an SQLite3 database file, exposing sensitive information stored in several tables. This vulnerability could lead to unauthorized access to system data, enabling information disclosure and potential exploitation of critical building management or automation systems.
ABB Cylon Aspect is affected by multiple Server-Side Request Forgery (SSRF) vulnerabilities. These vulnerabilities allow authenticated attackers to exploit APIs and internal functions to make arbitrary network requests. This could result in unauthorized access to internal systems, data exfiltration, or bypassing firewall protections.
The ABB Cylon ASPECT system contains an unauthenticated information disclosure vulnerability in the pupDumpStats.php script. When this endpoint is accessed, it triggers the download of a sensitive debug file located at /usr/local/aam/var/pupdbg.dump. This file may contain internal system information, including protocol states, transaction logs, and system mappings. The vulnerability arises from an Insecure Direct Object Reference (IDOR) issue, where the script does not validate or authenticate the requester before allowing access to the debug file. Exploiting this flaw enables an attacker to retrieve sensitive operational data, potentially aiding in further exploitation of the system.
The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'port' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.
The ABB BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'redirect' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.
The ABB BMS/BAS controller suffers from an unauthenticated information disclosure and manipulation vulnerability in the OOS (Out of Service) Manager. An unauthorized attacker can enumerate devices marked as in or out of service, accessing detailed information such as device names, network IDs, and transaction counts. Furthermore, the attacker can exploit this vulnerability to modify the OOS status of devices, allowing unauthorized additions or updates via the exposed functionality of the /oosManagerAjax.php endpoint.
The ABB BMS/BAS controller suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can access the affected page and retrieve sensitive system details, including active threads, mapping of reference paths, port pool configurations, internal IP addresses, serial port queue information, and performance metrics such as transaction times.
The ABB BMS/BAS controller is vulnerable to code execution and sudo misconfiguration flaws. An authenticated remote code execution vulnerability in the firmware update mechanism allows an attacker with valid credentials to escalate privileges and execute commands as root. The process involves uploading a crafted .aam file through fileSystemUpdate.php, which is then moved to /tmp and executed by fileSystemUpdateExecute.php. This script leverages sudo to run the upgrade-bundle.sh script, enabling the attacker to bypass input validation checks and execute arbitrary code, leading to full system compromise and unauthorized root access.
The ABB BMS/BAS controller allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by servicesUpdate.php script.