CVE-2023-4346 Explained : Impact and Mitigation
Find out about CVE-2023-4346 affecting KNX Protocol Connection Authorization allowing attackers to lock devices and prevent resets, risking unauthorized access.
This CVE record was published by the ICS-CERT on August 29, 2023. It affects KNX Protocol Connection Authorization Option 1 by KNX Association, making devices vulnerable to being locked and users unable to reset them, potentially granting unauthorized access to attackers.
Understanding CVE-2023-4346
This CVE highlights a vulnerability in KNX devices using KNX Connection Authorization and supporting Option 1. The issue can result in devices being locked, preventing users from resetting them and granting unauthorized access to attackers.
What is CVE-2023-4346?
KNX devices utilizing KNX Connection Authorization and Option 1 may be susceptible to a flaw where attackers could lock the device and hinder users from resetting it, thereby compromising device security and potentially granting unauthorized access.
The Impact of CVE-2023-4346
The impact of this vulnerability is deemed high, with an Attack Complexity of LOW but an Availability Impact of HIGH. If exploited, attackers could compromise the security of KNX devices, locking them and preventing legitimate users from gaining access.
Technical Details of CVE-2023-4346
This vulnerability stems from an overly restrictive account lockout mechanism (CWE-645) in KNX devices. Attackers with network or physical access to the device can exploit this flaw to lock the device and prevent users from resetting it.
Vulnerability Description
KNX devices using KNX Connection Authorization and supporting Option 1 are at risk of being locked by attackers, preventing users from resetting them and gaining access. The flaw lies in the inability to reset the BCU key without the current password.
Affected Systems and Versions
The vulnerability affects KNX devices that use KNX Connection Authorization and support Option 1. Specifically, devices with the BCU key feature implementation may be vulnerable to exploitation.
Exploitation Mechanism
Attackers with access to the device network or physical access can exploit this vulnerability by setting a BCU key, effectively locking the device and preventing legitimate users from resetting it.
Mitigation and Prevention
To mitigate the risks associated with CVE-2023-4346, immediate steps should be taken along with the implementation of long-term security practices.
Immediate Steps to Take
Users are advised to set the BCU Key in every KNX Project that is completed and will be commissioned in the future. Additionally, handing over the BCU Key as part of the Project Documentation to the Building Owner is recommended.
Long-Term Security Practices
It is crucial to regularly update and patch KNX devices to address security vulnerabilities promptly. Implementing robust security measures and ensuring devices are configured securely can help prevent unauthorized access.
Patching and Updates
Regularly check for security updates provided by KNX Association or relevant vendors to apply patches that address CVE-2023-4346. Keeping devices up to date with the latest firmware can help mitigate security risks associated with this vulnerability.