CVE-2023-0053
📋 TL;DR
This vulnerability affects SAUTER Controls Nova 200-220 Series building automation controllers and BACnetstac software, allowing attackers to intercept sensitive information like credentials transmitted in cleartext via FTP and Telnet protocols. Organizations using these devices with vulnerable firmware/software versions are at risk of credential theft and unauthorized system access.
💻 Affected Systems
- SAUTER Controls Nova 200 Series
- SAUTER Controls Nova 220 Series
- BACnetstac
📦 What is this software?
Bacnetstac by Sauter Controls
Modunet300 Ey Am300f001 Firmware by Sauter Controls
Modunet300 Ey Am300f002 Firmware by Sauter Controls
Nova 106 Eyk300f001 Firmware by Sauter Controls
Nova 220 Eyk220f001 Firmware by Sauter Controls
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to building automation systems, potentially manipulating HVAC, lighting, or security controls, causing physical damage, safety hazards, or operational disruption.
Likely Case
Attackers steal credentials to access the management interface, potentially modifying device configurations, disrupting building operations, or using the device as a foothold for lateral movement.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential credential exposure without successful exploitation of the management interface.
🎯 Exploit Status
Exploitation requires network access to intercept cleartext traffic; no authentication bypass needed if credentials are captured.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nova firmware >3.3-006, BACnetstac >4.2.1
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-05
Restart Required: Yes
Instructions:
1. Contact SAUTER Controls for updated firmware/software. 2. Backup device configurations. 3. Apply updates following vendor instructions. 4. Verify secure protocols are enabled post-update.
🔧 Temporary Workarounds
Disable FTP and Telnet
allDisable vulnerable protocols and use secure alternatives like SFTP/SSH if available
Consult device documentation for protocol disable commands
Network Segmentation
allIsolate affected devices on separate VLANs with strict access controls
🧯 If You Can't Patch
- Implement network encryption (VPN/IPsec) for all management traffic to these devices
- Deploy network monitoring to detect credential interception attempts and unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console; verify if FTP/Telnet are the only management protocols enabledCheck Version:
Consult device documentation for version check commands (varies by model)Verify Fix Applied:
Confirm firmware version is >3.3-006 for Nova or >4.2.1 for BACnetstac; verify secure protocols (SSH/SFTP) are available and cleartext protocols are disabled📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from unexpected IPs
- Multiple Telnet/FTP connection attempts
- Configuration changes from unknown users
Network Indicators:
- Cleartext credential transmission on port 21 (FTP) or 23 (Telnet)
- Unusual outbound connections from affected devices
SIEM Query:
source_port:21 OR source_port:23 AND (event_type:"authentication" OR protocol:"ftp" OR protocol:"telnet")