CVE-2023-4291
📋 TL;DR
This critical vulnerability allows unauthenticated attackers to execute arbitrary code on Frauscher Sensortechnik FDS101 devices by sending manipulated parameters to the web interface. This affects all FDS101 devices for FAdC/FAdCi running version 1.4.24 and earlier. Successful exploitation gives attackers complete control over affected devices.
💻 Affected Systems
- Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi
📦 What is this software?
Frauscher Diagnostic System 101 by Frauscher
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, disrupt railway signaling operations, manipulate sensor data, or pivot to other network systems.
Likely Case
Attackers gain full administrative control of the device, allowing them to modify configurations, disable security controls, and potentially disrupt railway operations.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated device with no lateral movement to critical systems.
🎯 Exploit Status
The vulnerability requires no authentication and manipulation of web parameters suggests straightforward exploitation. While no public PoC exists, the high CVSS score and unauthenticated nature make weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.4.25 or later
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-038
Restart Required: Yes
Instructions:
1. Contact Frauscher Sensortechnik for updated firmware. 2. Backup device configuration. 3. Apply firmware update to v1.4.25 or later. 4. Restart the device. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Isolation
allCompletely isolate FDS101 devices from untrusted networks and restrict access to authorized management systems only.
Disable Web Interface
allIf web interface functionality is not required, disable it completely to remove the attack surface.
🧯 If You Can't Patch
- Implement strict network segmentation with firewall rules blocking all inbound traffic to FDS101 devices except from authorized management stations.
- Deploy network-based intrusion detection/prevention systems to monitor for exploitation attempts and block malicious traffic patterns.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or console. If version is 1.4.24 or earlier, the device is vulnerable.Check Version:
Check via device web interface or consult device documentation for version query commands.Verify Fix Applied:
Verify firmware version is 1.4.25 or later. Test web interface functionality to ensure it operates normally without allowing unauthorized parameter manipulation.📡 Detection & Monitoring
Log Indicators:
- Unusual web interface access patterns
- Multiple failed parameter manipulation attempts
- Unexpected process execution or system modifications
Network Indicators:
- Unusual traffic to FDS101 web interface ports
- HTTP requests with manipulated parameters to device endpoints
- Outbound connections from FDS101 to unexpected destinations
SIEM Query:
source_ip=* AND dest_ip=FDS101_IP AND (http_method=POST OR http_method=GET) AND (url_contains="/cgi-bin/" OR url_contains_parameters) AND user_agent_unusual