ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure

ABB Cylon Aspect 3.08.02 — Cookie User Password Disclosure (CVE-2024-51546)

Executive summary

ABB Cylon ASPECT (NEXUS, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio) prior to or equal to firmware 3.08.02 stores and transmits user authentication credentials inside an application cookie in cleartext (base64-encoded) and without appropriate transport or cookie protections. An attacker with network visibility (e.g., on the local network, via an unprotected Wi‑Fi, or via an active man-in-the-middle) can obtain the cookie, decode the credential string, and use it to impersonate the user or access the system. The issue is tracked as CVE-2024-51546.

Affected products and versions

Product	Affected firmware / versions
NEXUS Series	<= 3.08.02
MATRIX-2 Series	<= 3.08.02
ASPECT-Enterprise, ASPECT-Studio	<= 3.08.02

Vulnerability details

The vulnerable ASPECT builds place a JSON structure named "globals" into an HTTP cookie. That JSON contains a "currentUser" object which includes two sensitive fields:

• authdata — base64-encoded username:password or equivalent authentication blob;
• mangledAuth — an obfuscated/encoded credential-like string.

Because the cookie is sent over HTTP without appropriate protections, anyone who can observe the connection can obtain these values, decode them, and directly recover credentials. Even if the strings are not raw passwords in some deployments, the disclosure of credential material or long-lived authentication tokens provides direct unauthorized access.

Concrete cookie example

Typical cookie fragment observed in a vulnerable install (abridged):

globals={"currentUser":{"username":"aamuser","authdata":"YWFtdXNlcjpkZWZhdWx0","mangledAuth":"bXVidmZnO2Vmc3Z0Ym45YjczMzY2ODo6MjQyODQ7Mg==","loginExpirySeconds":0},"loggedIn":true,"lang":"en"}

This shows the authdata field contains a base64 string. When decoded it reveals the credential pair.

# Python example to decode authdata safely (analysis purpose)
import base64
s = "YWFtdXNlcjpkZWZhdWx0"
print(base64.b64decode(s).decode('utf-8'))

Explanation: The Python snippet demonstrates how an auditor or administrator can decode the base64 value. It prints the decoded UTF‑8 string (in the example above it would reveal "aamuser:default"). This is intended for defensive analysis and incident response to confirm what was exposed.

How the issue can be exploited (high-level)

• An attacker who can read HTTP traffic (e.g., shared Wi‑Fi, network tap, compromised router or proxy) can capture cookies transmitted without TLS protections.
• Capturing the "globals" cookie yields credential material (authdata/mangledAuth) which can be decoded or reversed, allowing login as the affected user.
• From there, depending on the user's privileges, the attacker may view or modify building automation data, cause operational disruption, or pivot into other systems.

Impact

• Credential disclosure — passwords or equivalent secrets leaked in transit and at rest in client cookies.
• Account compromise — an attacker can impersonate affected users without needing to brute force passwords.
• Operational security risk — building management and control systems are sensitive; unauthorized access may impact safety, comfort, energy systems, or provide lateral access to corporate networks.

Detection and indicators of compromise (IoCs)

• Presence of a cookie named globals containing JSON with keys currentUser, authdata, or mangledAuth.
• Base64-like strings in cookies — long sequences of A–Z, a–z, 0–9, +, /, = inside the globals JSON.
• Network captures showing cookies sent over plain HTTP to ASPECT hosts/ports.

Simple host-side check (example): search webserver logs or application logs for "globals={\"currentUser\"" to find devices that emitted the cookie. Administrators should treat hits as potential exposures and investigate.

Remediation and mitigation

Immediate and long-term mitigations — prioritize patching and configuration hardening:

• Apply vendor updates: upgrade ASPECT firmware/software to a version where this behavior is corrected. Contact ABB support for the patch or newer firmware that removes credentials from cookies and uses secure session handling.
• Enforce TLS for all management interfaces: configure HTTPS with valid certificates and redirect HTTP to HTTPS. Ensure TLS is used end‑to‑end (no offloaded insecure segments).
• Use secure cookie attributes: mark cookies with Secure, HttpOnly, and appropriate SameSite attributes to reduce theft risk via some vectors:
  • Secure — prevents transmission over non-TLS connections.
  • HttpOnly — prevents easy access to cookie values from injected client-side scripts.
  • SameSite=Lax/Strict — limits cookie leakage in cross-site contexts.
• Avoid storing credentials in client-side cookies: session identifiers (random opaque tokens) should be stored server-side and mapped to server-held session state. Credentials or password-equivalent material must never be stored client-side.
• Rotate compromised credentials and session tokens immediately, and force password reset for potentially affected accounts.
• Harden network segmentation: management interfaces for building systems should be isolated from general user networks and reachable only via VPN or dedicated management networks.
• Monitor and log authentication events and unusual access patterns; enable alerting for logins from new IPs or simultaneous sessions.

Secure cookie examples (recommended patterns)

Example: preferred way to set a session cookie in modern PHP (7.3+) with options array:

// Set a secure HttpOnly cookie with SameSite in PHP 7.3+
$cookieValue = bin2hex(random_bytes(32)); // server-side session token
setcookie('session_token', $cookieValue, [
  'expires' => time() + 3600,
  'path' => '/',
  'domain' => 'example.com',
  'secure' => true,
  'httponly' => true,
  'samesite' => 'Lax'
]);

Explanation: This code demonstrates best practices: generate a random opaque token on the server, store it server-side mapped to session state, and set cookie attributes so it is only sent over TLS (secure), not accessible from JavaScript (httponly), and has a SameSite policy to reduce cross‑site leakage.

For older PHP versions where the options array is not available, use setcookie parameters and secure header controls, but upgrade PHP when possible. Also ensure the application itself does not embed credentials into cookie JSON structures.

Patch and configuration checklist for administrators

• Contact ABB support and update ASPECT devices to a fixed firmware version as soon as available.
• Disable any HTTP-only management access; require HTTPS and install valid TLS certificates.
• Inspect existing cookie usage across the application codebase; remove storage of authdata or password-equivalent tokens from cookies.
• Implement server-side sessions using opaque random tokens and store all sensitive state server-side.
• Apply least privilege to accounts used by automation systems and rotate credentials after remediation.
• Segment building automation networks and limit external access via VPNs or jump hosts with multi-factor authentication.

References and advisory information

Public advisory and CVE: CVE-2024-51546. Related advisory: ZSL-2025-5895 (reported by Gjoko 'LiquidWorm' Krstic). Administrators should consult vendor communications for the specific fixed firmware versions and detailed upgrade instructions.

Final notes for defenders

This vulnerability underscores two recurring secure-design principles: never transmit or persist raw secrets in client-side storage, and always protect sensitive management interfaces with strong transport security and network isolation. For building management systems, these controls are particularly critical because the impact extends beyond IT to physical systems and occupant safety.