CVE-2018-15484
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary code on KONE Group Controller (KGC) devices by modifying the autoexec.bat file through the open HTTP interface. It affects KGC devices running versions before 4.6.5, potentially compromising building management systems. Attackers can gain full control of affected devices remotely without credentials.
💻 Affected Systems
- KONE Group Controller (KGC)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of building management systems, allowing attackers to disable elevators/escalators, manipulate access controls, or pivot to other building systems, potentially causing physical safety hazards and operational disruption.
Likely Case
Attackers install malware, create backdoors, or use devices for cryptocurrency mining or botnet participation, leading to system instability and potential data exfiltration.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting isolated systems with minimal business disruption.
🎯 Exploit Status
Exploit details and proof-of-concept code are publicly available. Attack requires network access to the HTTP interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.5 and later
Vendor Advisory: https://www.kone.com/en/vulnerability.aspx
Restart Required: Yes
Instructions:
1. Contact KONE support for upgrade package. 2. Backup current configuration. 3. Apply firmware update to version 4.6.5 or later. 4. Verify update completed successfully. 5. Test system functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate KGC devices from untrusted networks and restrict HTTP interface access
Access Control Lists
allImplement firewall rules to restrict HTTP access to authorized IP addresses only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate KGC devices from internet and untrusted networks
- Deploy intrusion detection systems to monitor for exploitation attempts and unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or management console. If version is below 4.6.5, device is vulnerable.Check Version:
Check via web interface at http://[device-ip]/status or consult device documentationVerify Fix Applied:
Verify firmware version is 4.6.5 or higher. Test that autoexec.bat cannot be modified via HTTP interface without authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated HTTP requests to autoexec.bat or configuration files
- Unusual process execution or system modifications
- Failed authentication attempts followed by configuration changes
Network Indicators:
- HTTP POST/PUT requests to autoexec.bat from unauthorized sources
- Unusual outbound connections from KGC devices
- Traffic patterns indicating command and control communication
SIEM Query:
source_ip=* AND (url="*autoexec.bat*" OR url="*config*" OR url="*system*" ) AND http_method=POST