Cybersecurity , IT-OT Convergence , Remote Access
ABB Smart Building Software Flaws Invite In Hackers
Proof of Concepts Available for Cylon Aspect Energy Management SoftwareVulnerabilities in a smart building energy management system including an easily exploitable, two-year-old flaw that hasn't been widely patched could let hackers take over instances misconfigured to allow internet exposure.
See Also: 2024 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
The flaws, highlighted by industrial control system researcher Gjoko Krstic - aka "LiquidWorm" - carry critical CVSS scores. The vulnerabilities, CVE-2023-0636 and CVE-2024-6209, affect Cylon Aspect software made by electrical engineering firm ABB. The Swiss multinational counts the University of California-Irvine and the American Museum of Natural History in New York City among its energy management system customers. Aspect software allows automated control over building lights, temperature and humidity.
A late September proof of concept of CVE-2023-0636 from Krstic led cybersecurity company VulnCheck to investigate further, highlighting the vulnerabilities in an Oct. 30 blog post. Internet scanning discovered 265 online instances of Aspect, of which the company said 214 were unpatched "despite a patch available since 2022." Prism Infosec previously discovered the flaw in 2023.
The flaw allows hackers to exploit a vulnerable network diagnostic component interface. "Those who have been around, you will think ping
. You are correct. Also, nslookup
," said Jacob Baines, VulnCheck CTO, referring to networking utilities for detecting the network reachability of a host and for querying the domain name system for an IP address. The Krstic proof of concepts also allows hackers to use tracert
, a utility for tracking network hops.
ABB said in 2023 that exploiting the flaw requires hackers to obtain high-level privileges to exploit, but the National Vulnerability Database lists the flaw as requiring no privileges at all.
An ABB advisory said a patch closed the vulnerability that allowed access to the operating system.
The other vulnerability, CVE-2024-6209, allows attackers to extract plain-text user credentials without authentication, opening paths for further exploitation. Attackers could use extracted credentials to deploy additional exploits within affected networks. Krstic found that input passed through a PHP script was not properly verified before being used to download log files, allowing hackers to launch directory traversal attacks to obtain sensitive files. He also developed more than two dozen command injection exploits that build on the flaw to conduct activities such as remote code execution, exposing building names and denial of service.
ABB said in a July advisory that customers should ensure that Aspect devices aren't accessible from the internet. Should customers have exposed instances to the internet, even "only in defined time intervals," they should remove the application from the internet and install updated firmware, it said. Remote access should be mediated through an updated VPN, it also said.
As of Oct. 30, it did not appear as if hackers have exploited the flaw.