PatchSiren cyber security CVE debrief
CVE-2024-11317 ABB CVE debrief
Session fixation vulnerabilities in ABB ASPECT systems allow attackers to predetermine a user's session identifier prior to authentication, enabling session takeover on affected devices. The vulnerability affects ASPECT versions 3.08.02 and earlier across multiple product lines including ASPECT®-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x) devices. This is rated CRITICAL with CVSS 10.0 due to network attack vector, low complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity across changed scope. A vendor fix is available in version 3.08.03 and later. The advisory was initially published on July 3, 2024, with subsequent updates in August and November 2024 as patched versions became available, and a final correction on December 5, 2024.
- Vendor
- ABB
- Product
- ASPECT®-Enterprise
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-03
- Original CVE updated
- 2024-12-05
- Advisory published
- 2024-07-03
- Advisory updated
- 2024-12-05
Who should care
Organizations operating ABB ASPECT building automation and energy management systems, particularly in critical infrastructure environments. Security teams responsible for industrial control system (ICS) security, facility management organizations, and OT security practitioners should prioritize patching. Organizations with ASPECT devices exposed to network segments accessible by potential attackers face elevated risk of unauthorized access to building control systems.
Technical summary
The vulnerability exists in the session management implementation of ABB ASPECT systems where an attacker can fix a user's session identifier before the login process completes. This session fixation weakness allows the attacker to know the session ID that will be assigned to an authenticated user, enabling session hijacking after the victim authenticates. The attack requires network access to the ASPECT device but does not require authentication, privileges, or user interaction. Successful exploitation grants the attacker the ability to take over the authenticated session with high impact on confidentiality and integrity of the system. The vulnerability affects four product lines: ASPECT®-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x, NEXUS-3-x), and MATRIX Series (MAT-x), all at versions 3.08.02 and below. The fix in version 3.08.03 implements proper session identifier regeneration upon authentication.
Defensive priority
critical
Recommended defensive actions
- Upgrade ABB ASPECT systems to version 3.08.03 or later to remediate session fixation vulnerabilities
- Verify session management implementations enforce rotation of session identifiers upon successful authentication
- Review network segmentation for ASPECT devices to limit exposure to untrusted networks
- Monitor for anomalous session activity including sessions originating from unexpected source addresses
- Apply defense-in-depth strategies per ICS-CERT recommended practices for industrial control systems
Evidence notes
Source: CISA CSAF advisory ICSA-25-007-01. Affected products confirmed via CSAF product tree: ASP-ENT-x <=3.08.02, NEX-2x <=3.08.02, NEXUS-3-x <=3.08.02, MAT-x <=3.08.02. Remediation confirmed in version 3.08.03 and later. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:F/RL:O/RC:C.
Official resources
-
CVE-2024-11317 CVE record
CVE.org
-
CVE-2024-11317 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-03