CVE-2024-0323
📋 TL;DR
The B&R Automation Runtime FTP server supports outdated encryption protocols (SSLv3, TLSv1.0, TLS1.1) that are vulnerable to cryptographic attacks. A network-based attacker can exploit these weak protocols to perform man-in-the-middle attacks and decrypt communications between affected clients. This affects systems using B&R Automation Runtime with the vulnerable FTP server configuration.
💻 Affected Systems
- B&R Automation Runtime
📦 What is this software?
Automation Runtime by Br Automation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive industrial automation data, including credentials, configuration files, and operational commands, potentially leading to production disruption or safety incidents.
Likely Case
Interception and decryption of FTP communications containing configuration data, firmware updates, or operational logs, enabling reconnaissance and potential further attacks.
If Mitigated
Limited impact if strong network segmentation and monitoring are in place, though weak encryption still presents a compliance and security hygiene issue.
🎯 Exploit Status
Exploitation requires network access to the FTP server and leverages well-known cryptographic weaknesses in outdated protocols.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to vendor advisory for specific patched versions
Vendor Advisory: https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encryption_mechanisms-f57c147c.pdf
Restart Required: Yes
Instructions:
1. Review vendor advisory SA23P004. 2. Apply the recommended update from B&R. 3. Restart affected systems. 4. Verify encryption protocols are updated to TLS 1.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable encryption protocols
allConfigure FTP server to only use TLS 1.2 or higher, disabling SSLv3, TLS 1.0, and TLS 1.1.
Network segmentation
allIsolate FTP server behind firewalls, restricting access to trusted networks only.
🧯 If You Can't Patch
- Implement strict network access controls to limit FTP server exposure
- Monitor for unusual FTP traffic patterns and failed connection attempts
🔍 How to Verify
Check if Vulnerable:
Use tools like Nmap with ssl-enum-ciphers script or OpenSSL s_client to test supported protocols on FTP port (typically 21 or 990).Check Version:
Check B&R Automation Runtime version through system interface or configuration tools as specified in vendor documentation.Verify Fix Applied:
Re-test with encryption protocol scanners to confirm only TLS 1.2+ is supported.📡 Detection & Monitoring
Log Indicators:
- Failed TLS handshakes
- Connections using deprecated SSL/TLS versions
- Unusual FTP authentication patterns
Network Indicators:
- SSLv3/TLS1.0/TLS1.1 handshakes to FTP port
- Man-in-the-middle attack patterns in network traffic
SIEM Query:
source="ftp_server" AND (tls_version="SSLv3" OR tls_version="TLSv1.0" OR tls_version="TLSv1.1")