VulnCheck finds critical security flaws in ABB building automation and energy management software - Industrial Cyber

New research by VulnCheck, highlighted in their Initial Access Research, explores two significant vulnerabilities in ABB’s building automation and energy management software, ABB Cylon Aspect. The software is used in major installations like the American Museum of Natural History and UC Irvine, making these vulnerabilities noteworthy for security teams in the industrial control systems (ICS) sector. The team identified 265 reachable ABB Cylon ASPECT systems online, with 214 remaining unpatched, despite the availability of a patch since 2022.

Vulnerabilities, CVE-2023-0636 and CVE-2024-6209, impact ABB Cylon ASPECT, a widely used building automation and energy management system, Jacob Baines, chief technology officer at VulnCheck, wrote in a blog post this week. “CVE-2023-0636 allows command injection, enabling unauthorized remote code execution. While ABB reports authentication is required, testing reveals this is not always enforced. CVE-2024-6209 enables unauthenticated file disclosure, allowing attackers to extract plain-text credentials, facilitating further exploits within affected systems.”

He added that proof-of-concept exploits are publicly available, yet threat intelligence platforms show limited exploitation activity.

“The main focus of the discussion is CVE-2023-0636, a command injection vulnerability in ABB Cylon Aspect,” Baines noted. “The vulnerability allows for remote code execution, making it a serious threat, particularly in internet-facing systems. While ABB claims authentication is required for exploitation, research shows otherwise, allowing attackers easier access than initially assumed.”

Baines also identified that the VulnCheck team explored exploit data and showcased a proof-of-concept (POC) originally published on Packet Storm by security researcher ‘Liquid Worm.’ “This POC revealed multiple ways to exploit the command injection, with little resistance in place. VulnCheck verified the vulnerability using internal tooling and developed an unobtrusive version scanner to assess its presence in live systems, discovering 265 reachable systems, of which 214 unpatched systems, despite a patch available since 2022.”

In addition to CVE-2023-0636, Baines said that Liquid Worm disclosed an unauthenticated file disclosure vulnerability, allowing attackers to retrieve user credentials in plain text. “This gap in ABB’s products significantly elevates the risk, as these credentials can then facilitate other command injections and remote code executions within the system.”

The VulnCheck team found hundreds of vulnerable ABB Cylon Aspect installations online through platforms like Shodan and Censys. Surprisingly, despite available exploits, no major exploitation activity has been recorded in threat intelligence sources like GreyNoise. However, this discovery underscores the need for organizations with ICS to monitor and patch these vulnerabilities, especially as critical infrastructure software often remains online.

Security professionals should ensure that customers keep such high-risk systems patched, as ABB advises against exposing these systems online at all. This highlights the risk associated with unpatched and publicly accessible control systems.

Organizations using ABB Cylon Aspect should ensure these devices are patched and up to date. It is crucial to keep ABB devices and other ICS devices inaccessible from the Internet and utilize provided detection signatures to monitor for any signs of exploitation.