External risk intelligence

KNX Connection Authorization Lockout Vulnerability

CVE advisoryKnown Exploit

CVE-2023-4346

KNX is a building automation protocol designed for internal, site-specific operations. Deployments are typically segmented within private local area networks or building management systems. Public internet exposure is not a standard configuration, and direct remote access generally requires misconfiguration or intentional exposure of internal control protocols.

Knx Connection Authorization

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in KNX devices utilizing specific connection authorization features that could allow an attacker, through network or physical access, to lock down devices, preventing legitimate users from regaining access. The primary concern is confirming if this technology is in use within your environment and assessing the potential exposure if it is.

  • Devices can be locked, blocking user access.
  • Vulnerability impacts building automation systems.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could gain access to a KNX network, either through direct network access or physical proximity to a device, to interact with the KNX installation. By exploiting a vulnerability in the connection authorization feature, they could potentially remove all connected devices and then set a new password, effectively locking users out of the system.

  • Network or physical access required.
  • Attackers can purge devices and set new passwords.
  • Risk of unauthorized lockout and system access.

Live Threat

Current exploitation, exposure, and threat context

KNX devices utilizing Connection Authorization with Option 1 could be locked by an attacker with network or physical access, preventing legitimate users from regaining control. This lock-out occurs when an attacker purges existing devices and sets a new BCU key, which often cannot be reset without the current password. The risk is contingent on specific device implementations and security configurations.

  • KNX devices with Option 1 authorization.
  • Attacker purges devices, sets new BCU key.
  • Device locked, preventing legitimate user access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The KNX Association's Connection Authorization Option 1 can lead to devices being locked and inaccessible if exploited locally or remotely. Ownership likely resides with infrastructure or building management system teams responsible for KNX deployments, with vendor coordination for specific remediation steps. The first practical move involves identifying all KNX devices using this authorization, assessing their network reachability or criticality, and then planning remediation based on the risk of lockout.

  • Confirm KNX device network exposure.
  • Identify accountable system owner.
  • Plan remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is KNX Connection Authorization?

KNX is a standardized protocol used for building automation, such as controlling lighting, heating, and security systems. The Connection Authorization feature, specifically 'Option 1,' manages how devices authenticate and communicate within these networks. It acts as a gatekeeper to prevent unauthorized changes to the system's configuration or hardware settings.

What does CVE-2023-4346 mean for my devices?

This vulnerability is classified as CWE-645, which relates to an issue in how certain systems handle authentication during initial configuration or setup. Essentially, the software contains a flaw where the password mechanism, or 'BCU key,' can be abused. If an unauthorized party successfully interacts with the device, they can change this key and lock legitimate administrators out of their own hardware, effectively rendering the device unusable.

How can an attacker trigger this lockout?

An attacker needs either physical access to the device or access to the local network where the KNX system resides. They exploit the vulnerability by purging existing device settings and overwriting them with a new BCU key. Note that this attack path requires a direct connection to the installation's network; it does not trigger through standard interactions on secured, isolated segments where communication is restricted.

Is my organization at risk for this vulnerability?

According to Halo Surface Signal, this risk is generally 'Unlikely' because KNX is a specialized building automation protocol typically kept on private, segmented local networks. It is not designed to be reachable via the public internet. Organizations should only be concerned if their KNX installations have been misconfigured to allow remote access or are otherwise directly exposed to broader network environments.

What should I do if I use these KNX devices?

Your first step is to inventory all KNX devices in your environment that utilize Connection Authorization Option 1. Coordinate with your building management or facilities infrastructure teams to verify if these systems are reachable from untrusted network segments. Once identified, consult with your vendor to apply specific configuration updates or hardening measures to secure the BCU key management process.

References