American Auto-Matrix Front-End Solutions Vulnerability

American Auto-Matrix Front-End Solutions Vulnerability

CVE-2016-2307

aspectft

A local file inclusion and plain text storage of password vulnerabilities exists in American Auto-Matrix’s Building Automation Front-End Solutions application. The Aspect-Matrix hardware platform was made end of life in 2015 and will no longer receive further updates.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

The following Building Automation Front-End Solutions versions are affected:

  • Aspect-Nexus Building Automation Front-End Solutions application versions prior to 3.0.0
  • Aspect-Matrix Building Automation Front-End Solutions application all versions.

IMPACT

User logins and passwords presented in plain text provide an attacker authenticated credentials to all aspects of the system.

BACKGROUND

According to American Auto-Matrix, Building Automation Front‑End Solutions application is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater systems, and others. American Auto-Matrix estimates that this product is used primarily in the United States.

LOCAL FILE INCLUSION

Without authorization, the attacker can read files on the host, including the configuration file.

PLAIN TEXT STORAGE OF A PASSWORD

In a file that is accessible without authentication, passwords are presented in plain text.

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

MITIGATION

American Auto-Matrix recommends the following steps:

Download the zip file located at Dealer Toolbox (http://www.aamatrix.com/aspect-new-features(link is external)) under Product Support>Software Updates. Then:

  • Unzip the attached file
  • Install the .aam file through the WebUI under [System Administration > System Updates]

Users will then need to reboot the unit in order complete the upgrade process.