CVE-2024-45862
📋 TL;DR
Kastle Systems firmware versions before May 1, 2024 store machine credentials in cleartext, allowing attackers to read sensitive authentication data. This affects all Kastle Systems physical security devices running vulnerable firmware versions. Attackers with access to the device or its storage can potentially compromise the entire security system.
💻 Affected Systems
- Kastle Systems physical security devices and controllers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of physical security systems, unauthorized building access, surveillance system takeover, and potential physical asset theft.
Likely Case
Unauthorized access to building systems, credential harvesting for lateral movement, and privilege escalation within security infrastructure.
If Mitigated
Limited exposure if proper network segmentation and access controls prevent attackers from reaching credential storage locations.
🎯 Exploit Status
Exploitation requires access to credential storage location, which typically requires some level of system access. Credential extraction itself is trivial once storage is accessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions dated May 1, 2024 or later
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05
Restart Required: Yes
Instructions:
1. Contact Kastle Systems for updated firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify new firmware version and credential encryption.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Kastle Systems devices on separate VLANs with strict firewall rules to limit access.
Access Control Hardening
allImplement strict physical and logical access controls to prevent unauthorized access to devices.
🧯 If You Can't Patch
- Implement strict network segmentation and zero-trust access controls
- Monitor for unauthorized access attempts and credential extraction activities
🔍 How to Verify
Check if Vulnerable:
Check firmware version date in device management interface. If date is before May 1, 2024, device is vulnerable.Check Version:
Check via Kastle Systems management interface or console for firmware version informationVerify Fix Applied:
Verify firmware version shows May 1, 2024 or later date. Check that credentials are no longer stored in cleartext.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to credential storage files
- Multiple failed authentication attempts followed by successful access
- Unusual file access patterns on security devices
Network Indicators:
- Unusual outbound connections from security devices
- Traffic patterns indicating credential extraction
SIEM Query:
source="kastle-devices" AND (event_type="file_access" AND file_path="*credential*" OR event_type="auth_failure" count>5)