1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Kieback&Peter
Equipment: DDC4000 Series
Vulnerabilities: Path Traversal, Insufficiently Protected Credentials, Use of Weak Credentials
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Kieback&Peter DDC4000 series products are affected:
DDC4002 : Versions 1.12.14 and prior
DDC4100 : Versions 1.7.4 and prior
DDC4200 : Versions 1.12.14 and prior
DDC4200-L : Versions 1.12.14 and prior
DDC4400 : Versions 1.12.14 and prior
DDC4002e : Versions 1.17.6 and prior
DDC4200e : Versions 1.17.6 and prior
DDC4400e : Versions 1.17.6 and prior
DDC4020e : Versions 1.17.6 and prior
DDC4040e : Versions 1.17.6 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The affected product is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.
CVE-2024-41717 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-41717. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
The affected product has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system.
CVE-2024-43812 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-43812. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 USE OF WEAK CREDENTIALS CWE-1391
The affected product uses weak credentials, which may allow an unauthenticated attacker to get full admin rights on the system.
CVE-2024-43698 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-43698. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector, Commercial Facilities Sector, Communications Sector, Financial Services Sector, Food and Agriculture Sector, Government Services and Facilities Sector, Healthcare and Public Health Sector, Information Technology Sector
COUNTRIES/AREAS DEPLOYED: Europe, the Middle East and Asia.
COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Raphael Ruf of terreActive AG reported these vulnerabilities to CISA.
4. MITIGATIONS
Kieback&Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are considered End-of-Life (EOL) and are no longer supported. Users operating these controllers should ensure they are operated in a strictly separate OT environment and consider updating to a supported controller.
Kieback&Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.
Kieback&Peter recommends all affected users contact their local Kieback&Peter office to update the firmware of the supported DDC systems to v1.21.0 or later.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
October 17, 2024: Initial Publication