CVE-2024-4791
📋 TL;DR
A critical vulnerability in Contemporary Control System BASrouter BACnet BASRT-B 2.7.2 allows remote attackers to cause denial of service by manipulating Application Protocol Data Unit (APDU) packets. This affects building automation systems using this BACnet router. The vulnerability is remotely exploitable and has public exploit details available.
💻 Affected Systems
- Contemporary Control System BASrouter BACnet BASRT-B
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of building automation systems (HVAC, lighting, access control) leading to operational shutdown, safety risks, and potential physical damage.
Likely Case
Service interruption in building automation networks causing temporary loss of control over HVAC, lighting, or other BAS functions.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially causing isolated service disruption.
🎯 Exploit Status
Exploit details and packet captures are publicly available on GitHub. The vendor did not respond to disclosure attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Contact Contemporary Control Systems for vendor guidance.
🔧 Temporary Workarounds
Network Segmentation
allIsolate BASRT-B routers from untrusted networks and implement strict firewall rules.
Traffic Filtering
allBlock or filter suspicious BACnet APDU traffic at network boundaries.
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted sources only
- Monitor network traffic for abnormal BACnet APDU patterns and implement intrusion detection
🔍 How to Verify
Check if Vulnerable:
Check device version via web interface or serial console. If running BASRT-B 2.7.2, assume vulnerable.Check Version:
Check via device web interface at http://[device-ip] or serial console connectionVerify Fix Applied:
No fix available to verify. Monitor for vendor updates.📡 Detection & Monitoring
Log Indicators:
- Device crash logs
- Unusual BACnet APDU traffic patterns
- Service interruption alerts
Network Indicators:
- Malformed BACnet APDU packets targeting port 47808
- Sudden increase in BACnet traffic to BASRT-B devices
SIEM Query:
source_port:47808 AND (packet_size:abnormal OR protocol_violation:true) OR device_type:"BASRT-B" AND event_type:"crash"🔗 References
- https://github.com/isZzzz/BASRT-B_BACnet_Router_Document/blob/main/BASER-B_APDU.pcapng
- https://github.com/isZzzz/BASRT-B_BACnet_Router_Document/blob/main/BASRT-B_2_CVE_apply.pdf
- https://vuldb.com/?ctiid.263890
- https://vuldb.com/?id.263890
- https://vuldb.com/?submit.323630
- https://github.com/isZzzz/BASRT-B_BACnet_Router_Document/blob/main/BASER-B_APDU.pcapng
- https://github.com/isZzzz/BASRT-B_BACnet_Router_Document/blob/main/BASRT-B_2_CVE_apply.pdf
- https://vuldb.com/?ctiid.263890
- https://vuldb.com/?id.263890
- https://vuldb.com/?submit.323630
