High-risk vulnerabilities patched in ABB Aspect building management system

Prism Infosec has identified two high-risk vulnerabilities within the Aspect Control Engine building management system (BMS) developed by ABB.

ABB’s Aspect BMS enables users to monitor a building’s performance and combines real-time integrated control, supervision, data logging, alarming, scheduling and network management functions with internet connectivity and web serving capabilities. Consequently, users can view system status, override setpoints and schedules, and more over desktop, laptop or mobile phone devices.

CVE-2023-0635 and CVE-2023-0636

The two vulnerabilities affect versions before 3.07.01 and could result in remote code execution (RCE), and privilege escalation within the Aspect Control Engine software, potentially giving an attacker complete control over the BMS.

CVE-2023-0635 and CVE-2023-0636 are corrected in the following product versions:

ASPECT-Enterprise (model number ASP-ENT-x): 3.07.01 and newer
Product ID: 2CQG103201S3021, 2CQG103202S3021, 2CQG103203S3021, 2CQG103204S3021

NEXUS Series (model number NEX-2x, NEXUS-3-x): 3.07.01 and newer
Product ID: 2CQG100102R2021, 2CQG100104R2021, 2CQG100105R2021, 2CQG100106R2021, 2CQG100110R2021, 2CQG100112R2021, 2CQG100103R2021, 2CQG100107R2021, 2CQG100108R2021, 2CQG100109R2021, 2CQG100111R2021, 2CQG100113R2021

MATRIX Series (model number MAT-x): 3.07.01 and newer
Product ID: 2CQG100102R1021, 2CQG100103R1021, 2CQG100104R1021, 2CQG100105R1021, 2CQG100106R1021

How the vulnerabilities were discovered

During a recent security testing engagement on behalf of a client, researchers discovered an ABB Aspect appliance and that the BMS was misconfigured to be publicly available over the internet. Usually, such administrative interfaces should not be made externally accessible and in instances where this cannot be avoided a secondary layer of authentication should be used, such as VPN or IP address whitelisting together with further access controls such as multi-factor authentication (MFA).

The team gained initial access to the administrative interface by using the default credentials documented in the Aspect Control Engine’s publicly available user manual. The team then found that the Network Diagnostic function of the Aspect appliance was vulnerable to RCE which allowed them to gain access via a reverse-shell to the underlying Linux OS and associated internal network infrastructure.

Once initial access was achieved, a check against the privileges revealed that the software was running as the ‘Apache’ user, a relatively low-level user with limited functionality. Researchers then identified an unintended privilege escalation vulnerability built into the underlying operating system of the ABB appliance, which would allow the user to escalate their access privileges to a root-level account.

“We informed the client of our findings and disclosed the software vulnerabilities to ABB shortly after. It was impressive how quickly both parties acknowledged and acted upon these issues, from the client ensuring these access levels were disabled to ABB patching and releasing an update and advisory to their clients. It goes to show how well responsible disclosure can work when consultants and vendors are both on the same page and put security first,” said Phil Robinson, Principal Consultant and Founder of Prism Infosec.