CVE-2021-36799 – CVE-2021-36799 is a hard-coded credential vulne... (How to Fix)

Q: What is the severity of CVE-2021-36799?

CVE-2021-36799 has a CVSS score of 8.8 (HIGH). CVE-2021-36799 is a hard-coded credential vulnerability in KNX ETS5 software versions through 5.7.6. It allows local users to decrypt and read project information using the known password 'ETS5Password' with salt 'Ivan Medvedev'. This affects organizations using unsupported ETS5 versions for building automation projects.

📋 TL;DR

CVE-2021-36799 is a hard-coded credential vulnerability in KNX ETS5 software versions through 5.7.6. It allows local users to decrypt and read project information using the known password 'ETS5Password' with salt 'Ivan Medvedev'. This affects organizations using unsupported ETS5 versions for building automation projects.

💻 Affected Systems

Products:

KNX ETS5 Professional

Versions: through 5.7.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects products no longer supported by the maintainer. ETS5 is used for configuring KNX building automation systems.

📦 What is this software?

Engineering Tool Software 5 by Knx

View all CVEs affecting Engineering Tool Software 5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with local access could extract sensitive building automation configurations, security keys, and project details, potentially enabling physical security bypass or system manipulation.

🟠

Likely Case

Local users or malware could access and exfiltrate KNX project files containing building automation logic and device configurations.

🟢

If Mitigated

With proper access controls and updated software, only authorized users can access project files, maintaining confidentiality of building automation systems.

🌐 Internet-Facing: LOW - This requires local access to the system running ETS5 software.

🏢 Internal Only: HIGH - Internal users with local access to ETS5 installations can exploit this vulnerability to access sensitive project data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Password recovery tools are publicly available that demonstrate exploitation. Requires local access to the system running ETS5.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.knx.org/knx-en/for-professionals/software/ets-5-professional/

Restart Required: No

Instructions:

Upgrade to supported ETS6 version. No patch available for ETS5 as it is end-of-life.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit physical and remote access to systems running ETS5 software to authorized personnel only.

File System Permissions

windows

Set strict file permissions on ETS5 project directories to prevent unauthorized access.

icacls "C:\Program Files\ETS5\Projects" /deny Users:(OI)(CI)F
icacls "C:\Users\%USERNAME%\Documents\ETS5 Projects" /deny Users:(OI)(CI)F

🧯 If You Can't Patch

Migrate projects to supported ETS6 version and decommission ETS5 installations.
Implement strict access controls and monitoring on systems running ETS5 software.

🔍 How to Verify

Check if Vulnerable:

Check ETS5 version in Help > About. If version is 5.7.6 or earlier, system is vulnerable.

Check Version:

Open ETS5 and navigate to Help > About menu

Verify Fix Applied:

Verify ETS5 is uninstalled and replaced with ETS6. Check that project files are no longer accessible to unauthorized users.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to ETS5 project directories
Execution of known password recovery tools like ets5-password-recovery

Network Indicators:

Unusual file transfers of .knxproj files from ETS5 systems

SIEM Query:

Process creation where command_line contains 'ets5-password-recovery' OR file_access where file_path contains '.knxproj' AND user not in authorized_users

📊 Metadata

CVE ID: CVE-2021-36799

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-798

Published: July 19, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165200/ETS5-Password-Recovery-Tool.html Third Party Advisory,VDB Entry
https://github.com/robertguetzkow/ets5-password-recovery Third Party Advisory
https://www.knx.org/knx-en/for-professionals/software/ets-5-professional/ Product,Vendor Advisory
http://packetstormsecurity.com/files/165200/ETS5-Password-Recovery-Tool.html Third Party Advisory,VDB Entry
https://github.com/robertguetzkow/ets5-password-recovery Third Party Advisory
https://www.knx.org/knx-en/for-professionals/software/ets-5-professional/ Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36799, you might also want to check these: