CVE-2019-13553 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2019-13553?

CVE-2019-13553 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication on Rittal Chiller SK 3232-Series cooling systems using hard-coded credentials. Attackers can control critical operations like turning the cooling unit on/off and changing temperature settings. Organizations using these industrial control systems for facility cooling are affected.

📋 TL;DR

This vulnerability allows attackers to bypass authentication on Rittal Chiller SK 3232-Series cooling systems using hard-coded credentials. Attackers can control critical operations like turning the cooling unit on/off and changing temperature settings. Organizations using these industrial control systems for facility cooling are affected.

💻 Affected Systems

Products:

Rittal Chiller SK 3232-Series

Versions: Carel pCOWeb firmware A1.5.3 through B1.2.4

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All systems with the affected firmware versions are vulnerable due to hard-coded credentials that cannot be changed by administrators.

📦 What is this software?

Pcoweb Firmware by Carel

View all CVEs affecting Pcoweb Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of cooling systems leading to equipment damage, environmental control failure, or disruption of temperature-sensitive operations in data centers, hospitals, or industrial facilities.

🟠

Likely Case

Unauthorized access to cooling controls causing temperature fluctuations, increased energy consumption, or temporary service disruption.

🟢

If Mitigated

Limited impact if systems are isolated from networks and physical access is controlled, though hard-coded credentials remain a persistent risk.

🌐 Internet-Facing: HIGH - Web interface accessible over network with hard-coded credentials allows remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable due to hard-coded credentials that cannot be changed.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of hard-coded credentials and network access to the web interface. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after B1.2.4

Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-297-01

Restart Required: Yes

Instructions:

1. Contact Rittal or Carel for updated firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Verify authentication now requires unique credentials. 5. Change default passwords if applicable.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate chiller control systems from untrusted networks using firewalls or VLANs

Access Control Lists

all

Restrict network access to chiller web interface to authorized management systems only

🧯 If You Can't Patch

Physically isolate chiller control network from all other networks
Implement continuous monitoring for unauthorized access attempts to chiller web interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface login page or device management interface. If version is A1.5.3 through B1.2.4, system is vulnerable.

Check Version:

Access web interface and check firmware/version information page, or use vendor-specific management tools.

Verify Fix Applied:

After patching, attempt to authenticate with previously known hard-coded credentials. Access should be denied. Verify firmware version shows post-B1.2.4.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with default credentials
Successful logins from unexpected IP addresses
Configuration changes to temperature settings or power state

Network Indicators:

HTTP requests to chiller web interface from unauthorized sources
Traffic patterns indicating temperature setting changes

SIEM Query:

source_ip NOT IN (authorized_management_ips) AND dest_port=80 AND (uri_contains="/login" OR uri_contains="/config")

📊 Metadata

CVE ID: CVE-2019-13553

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: October 25, 2019

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2019/Oct/45
https://www.us-cert.gov/ics/advisories/icsa-19-297-01 Third Party Advisory,US Government Resource
http://seclists.org/fulldisclosure/2019/Oct/45
https://www.us-cert.gov/ics/advisories/icsa-19-297-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13553, you might also want to check these: