Discovered - High Risk Vulnerabilities Affecting A Leading Building Management System

An independent cyber security consultancy, Prism Infosec,  has recently announced that it has identified two high risk vulnerabilities within the Aspect Control Engine Building Management System (BMS) developed by the major international process, design and automation company, ABB.   

The two vulnerabilities affect versions prior to 3.07.01 and could result in remote code execution (RCE), and privilege escalation within the Aspect Control Engine software, potentially giving an attacker complete control over the BMS. 

Both have been reported and logged as Common Vulnerabilities and Exposures (CVEs). ABB’s Aspect BMS enables users to monitor a building’s performance and combines real-time integrated control, supervision, data logging, alarming, scheduling and network management functions with Internet connectivity and web serving capabilities. 

Consequently, users can view system status, override setpoints and schedules, and more over desktop, laptop or mobile phone devices.

During a recent security testing engagement on behalf of a client, Prism Infosec discovered an ABB Aspect appliance and that the BMS was misconfigured to be publicly available over the internet. Usually such administrative interfaces should not be made externally accessible and in instances where this cannot be avoided a secondary layer of authentication should be used, such as VPN or IP address whitelisting together with further access controls such as multi-factor authentication (MFA). 

The Prism Infosec team gained initial access to the administrative interface by using the default credentials documented in the Aspect Control Engine’s publicly available user manual. The team then found that the Network Diagnostic function of the Aspect appliance was vulnerable to RCE which allowed them to gain access via a reverse-shell to the underlying Linux Operating System and associated internal network infrastructure. 

Once initial access was achieved, a check against the privileges revealed that the software was running as the ‘Apache’ user, a relatively low-level user with limited functionality. The Prism Infosec team then identified an unintended privilege escalation vulnerability, built into the underlying operating system of the ABB appliance, which would allow the user to escalate their access privileges to a root level account.

“We made the client aware of our findings and disclosed the software vulnerabilities to ABB shortly after. It was impressive how quickly both parties acknowledged and acted upon these issues, from the client ensuring these levels of access were disabled to ABB patching and releasing an update and advisory to their clients" commnented Phil Robinson, Principal Consultant and Founder of Prism Infosec

“It goes to show how well responsible disclosure can work when consultants and vendors are both on the same page and put security first,” Robinson added

You Might Also Read:  

The Need For OT-centric Cyber Security Strategies:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« The Netherlands To Restrict Computer Chip Equipment Exports To China
Malvertising Proliferates As Half Of Online Ads Are Now AI Generated  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

SANS Institute

SANS Institute

SANS is the most trusted and by far the largest source for information security training and security certification in the world.

HPE Aruba Networking

HPE Aruba Networking

HPE Aruba Networking, a Hewlett Packard Enterprise company, is a leading provider of next-generation network access solutions for the mobile enterprise.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

Assuria

Assuria

Assuria Cyber Security solutions provide protective monitoring of systems and user activity across the whole IT infrastructure.

Soracom

Soracom

Soracom offers secure, scalable, cloud-native connectivity developed specifically for the Internet of Things.

Network Integrated Business Solutions (NIBS)

Network Integrated Business Solutions (NIBS)

NIBS is an IT services provider offering a range of services with the aim of simplifying and securing technology.

XM Cyber

XM Cyber

XM Cyber is a leading hybrid cloud security company that’s changing the way innovative organizations approach cyber risk.

Aptiv

Aptiv

Aptiv is a global technology company that develops safer, greener and more connected solutions enabling the future of mobility.

Cyber Resilience

Cyber Resilience

Cyber Resilience offer an intensive program designed to help you create strategies to quickly become cyber resilient and to manage cyber risks in a measurable and predictable way.

Lunio

Lunio

Lunio makes the internet a safer and more reliable place for everyone trying to grow their business by automatically getting rid of fake clicks, traffic, and leads on all ad platforms.

Vizius Group

Vizius Group

The Vizius Group are a think tank of cybersecurity consultants who understand the mechanics and business value of risk reduction.

Cyber Insurance Academy

Cyber Insurance Academy

Cyber Insurance Academy was founded to provide insurance professionals with the knowledge needed to work in cyber-insurance and cyber-related insurance fields.

Vali Cyber

Vali Cyber

Vali Cyber was founded in 2020 with the mission of addressing the specific cybersecurity needs of Linux.

GreenPages Technology Solutions

GreenPages Technology Solutions

GreenPages provide expert strategic guidance and proven cloud-era solutions for our clients. Every day we help organizations leverage the cloud securely with less risk and cost.

DNSFilter

DNSFilter

DNSFilter is the most accurate threat detection and content filtering tool on the market today.

SignPath

SignPath

SignPath provides leading-edge software and SaaS services that ensure code integrity from development to distribution.