CVE-2023-36669
📋 TL;DR
CVE-2023-36669 is a critical authentication bypass vulnerability in Kratos NGC Indoor Units (IDU) that allows remote attackers to impersonate the Touch Panel Unit and gain complete control of the IDU/ODU system. Any attacker with network access to the IDU can exploit this vulnerability by sending crafted TCP requests. Organizations using affected Kratos NGC IDU systems before version 11.4 are vulnerable.
💻 Affected Systems
- Kratos NGC Indoor Unit (IDU)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the IDU/ODU system allowing attackers to manipulate HVAC controls, disable environmental monitoring, or potentially cause physical damage to connected equipment.
Likely Case
Unauthorized control of building HVAC systems leading to operational disruption, environmental safety risks, and potential data exfiltration from connected systems.
If Mitigated
Limited impact if systems are isolated in secure networks with strict access controls and monitored for anomalous TCP traffic.
🎯 Exploit Status
Exploitation requires only network access and ability to craft TCP packets to the IDU service port.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.4 and later
Vendor Advisory: https://www.kratosdefense.com/vulnerability-advisories/cve-2023-36669
Restart Required: Yes
Instructions:
1. Download firmware version 11.4 or later from Kratos support portal. 2. Backup current configuration. 3. Apply firmware update following vendor documentation. 4. Restart IDU unit. 5. Verify version is 11.4 or higher.
🔧 Temporary Workarounds
Network Segmentation
allIsolate IDU systems in separate VLAN with strict firewall rules limiting access to authorized management systems only.
Access Control Lists
allImplement network ACLs to restrict TCP access to IDU management interface from only authorized IP addresses.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate IDU systems from general network traffic
- Deploy network monitoring and intrusion detection for anomalous TCP traffic to IDU ports
🔍 How to Verify
Check if Vulnerable:
Check IDU firmware version via web interface or serial console; versions below 11.4 are vulnerable.Check Version:
Check via IDU web interface at System > About or via serial console using vendor-specific commands.Verify Fix Applied:
Verify firmware version shows 11.4 or higher after update and test that unauthorized TCP connections to IDU management port are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthorized TCP connections to IDU management port
- Multiple failed authentication attempts from unexpected sources
- Configuration changes from unauthorized IP addresses
Network Indicators:
- TCP traffic to IDU management port (default 502) from unauthorized sources
- Crafted TCP packets with TPU impersonation patterns
- Unusual command sequences to IDU systems
SIEM Query:
source_ip NOT IN (authorized_ips) AND destination_port=502 AND protocol=TCP