PatchSiren cyber security CVE debrief
CVE-2024-43812 Kieback&Peter CVE debrief
A vulnerability in Kieback&Peter DDC4000 series building automation controllers allows unauthenticated attackers with local access to read password hashes from /etc/passwd. The affected products span ten controller models across two product generations: legacy DDC4002/DDC4100/DDC4200/DDC4200-L/DDC4400 (firmware ≤1.12.14 or ≤1.7.4) and newer DDC4002e/DDC4200e/DDC4400e/DDC4020e/DDC4040e models (firmware ≤1.17.6). The CVSS 3.1 score of 8.4 reflects high impacts to confidentiality, integrity, and availability with low attack complexity and no privileges required. CISA published this advisory on October 17, 2024. The legacy controller models are end-of-life with no patches available; supported models require firmware update to v1.21.0 or later.
- Vendor
- Kieback&Peter
- Product
- DDC4002
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-17
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-10-17
- Advisory updated
- 2024-10-17
Who should care
Organizations operating building automation systems, facility management teams, critical infrastructure operators with HVAC and environmental controls, OT security teams, and asset owners in commercial real estate, healthcare, and industrial facilities using Kieback&Peter DDC controllers.
Technical summary
The vulnerability stems from insufficient protection of credential storage in the DDC4000 series firmware. An attacker with local access to the controller's file system can read /etc/passwd without authentication, obtaining password hashes for all system users. This enables offline hash cracking attacks against administrative and service accounts. The attack requires local access (AV:L) but no privileges (PR:N) and has low complexity (AC:L). Legacy controllers in the series have reached end-of-life status and will not receive patches; organizations must rely on network segmentation and operational technology security best practices for these devices. Current-generation controllers have patched firmware available (v1.21.0+).
Defensive priority
HIGH
Recommended defensive actions
- Identify all Kieback&Peter DDC4000 series controllers in your environment and document their firmware versions
- For legacy DDC4002, DDC4100, DDC4200, DDC4200-L, and DDC4400 controllers (EOL, no patches): isolate on strictly segmented OT networks with no internet access, disable unnecessary services, and plan migration to supported
- For DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers: contact your local Kieback&Peter office to schedule firmware update to v1.21.0 or later
- Review and rotate any credentials that may have been exposed through this vulnerability
- Apply defense-in-depth controls per CISA ICS recommended practices including network segmentation, monitoring, and least-privilege access
- Monitor for unauthorized access attempts to controller file systems or authentication services
Evidence notes
CISA CSAF advisory ICSA-24-291-05 published 2024-10-17T06:00:00Z. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Affected product list and remediation guidance extracted from CSAF product tree and remediation sections.
Official resources
-
CVE-2024-43812 CVE record
CVE.org
-
CVE-2024-43812 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-17