CVE-2018-15486 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2018-15486?

CVE-2018-15486 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated attackers to perform Local File Inclusion (LFI) and file modification on KONE Group Controller devices by manipulating the 'name' parameter in the file endpoint. It affects KONE KGC devices with versions before 4.6.5, potentially exposing sensitive files and enabling further system compromise.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform Local File Inclusion (LFI) and file modification on KONE Group Controller devices by manipulating the 'name' parameter in the file endpoint. It affects KONE KGC devices with versions before 4.6.5, potentially exposing sensitive files and enabling further system compromise.

💻 Affected Systems

Products:

KONE Group Controller (KGC)

Versions: All versions before 4.6.5

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the open HTTP interface which is typically enabled by default.

📦 What is this software?

Group Controller Firmware by Kone

View all CVEs affecting Group Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including remote code execution, data theft, and device takeover leading to physical safety risks in elevator/access control systems.

🟠

Likely Case

Unauthorized access to sensitive configuration files, credential theft, and potential denial of service through file manipulation.

🟢

If Mitigated

Limited to information disclosure if proper network segmentation and access controls prevent external exploitation.

🌐 Internet-Facing: HIGH - HTTP interface is exposed and unauthenticated exploitation is possible.

🏢 Internal Only: HIGH - Even internally, unauthenticated access allows significant impact.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP parameter manipulation with publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.5 or later

Vendor Advisory: https://www.kone.com/en/vulnerability.aspx

Restart Required: Yes

Instructions:

1. Contact KONE support for patch availability. 2. Backup current configuration. 3. Apply firmware update to version 4.6.5 or later. 4. Restart the KGC device. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate KGC devices from untrusted networks and restrict HTTP access to authorized management systems only.

Access Control Lists

all

Implement firewall rules to restrict HTTP access to KGC devices from specific IP addresses only.

🧯 If You Can't Patch

Implement strict network segmentation to isolate KGC devices from all untrusted networks
Deploy web application firewall (WAF) rules to block LFI patterns and parameter manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or console. If version is below 4.6.5, device is vulnerable.

Check Version:

Check via web interface at http://<kgc-ip>/status or consult device documentation for CLI commands.

Verify Fix Applied:

Verify firmware version is 4.6.5 or later and test that file endpoint no longer accepts manipulated 'name' parameters.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to file endpoint with unusual 'name' parameter values
Multiple failed file access attempts
Unauthorized file modification attempts

Network Indicators:

HTTP traffic to KGC devices with parameter manipulation patterns
Unusual file paths in HTTP requests

SIEM Query:

source="kgc-http-logs" AND (uri="/file" OR uri="/file/") AND (param_name="name" AND param_value CONTAINS "../")

📊 Metadata

CVE ID: CVE-2018-15486

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-829

Published: September 7, 2018

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/149252/KONE-KGC-4.6.4-DoS-Code-Execution-LFI-Bypass.html Exploit,Third Party Advisory,VDB Entry
https://www.kone.com/en/vulnerability.aspx Vendor Advisory
http://packetstormsecurity.com/files/149252/KONE-KGC-4.6.4-DoS-Code-Execution-LFI-Bypass.html Exploit,Third Party Advisory,VDB Entry
https://www.kone.com/en/vulnerability.aspx Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-15486, you might also want to check these: