ICS Advisory

KNX Protocol

Release Date
Alert Code
ICSA-23-236-01

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5 
  • ATTENTION: Exploitable remotely/low attack complexity/known public exploitation 
  • Vendor: KNX Association 
  • Equipment: KNX devices using KNX Connection Authorization 
  • Vulnerability: Overly Restrictive Account Lockout Mechanism 

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause users to lose access to their device, potentially with no way to reset the device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following devices using KNX Protocol are affected: 

  • KNX devices using Connection Authorization Option 1 Style in which no BCU Key is currently set: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645 

KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. 

CVE-2023-4346 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector
  • COUNTRIES/AREAS DEPLOYED: Europe 
  • COMPANY HEADQUARTERS LOCATION: Belgium 

3.4 RESEARCHER

Felix Eberstaller of Limes Security reported this vulnerability to CISA.

4. MITIGATIONS

KNX Association recommends all system integrators, installers, ETS users, and end customers to follow common IT security guidelines. KNX Association recommends users follow the recommendations in the KNX Secure Checklist

The KNX Association also recommends users always set the BCU Key in every KNX Project that is already finished and will be commissioned in the future. Handover the BCU Key as part of the Project Documentation to the Building Owner. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA has received reports of this vulnerability being actively exploited. 

This product is provided subject to this Notification and this Privacy & Use policy.