Ctek, Inc. SkyRouter

Plan Patch8.6ICS-CERT ICSA-17-264-02Sep 21, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Ctek SkyRouter Series 4200 and 4400 devices contain an authentication bypass vulnerability (CWE-287) that allows remote attackers to access the device without valid credentials. The vulnerability is remotely exploitable with low skill level and affects all versions before 6.00.11. No vendor fix is currently available.

What this means

What could happen

An attacker with network access could bypass authentication on the SkyRouter and gain administrative control, allowing them to modify device configuration, intercept or redirect network traffic, or disrupt building automation communication.

Who's at risk

Building automation operators using Carrier SkyRouter Series 4200 and 4400 devices for HVAC, lighting, or other building controls should be concerned. This affects any facility running these older SkyRouter models in their control infrastructure.

How it could be exploited

The attacker sends a crafted network request to the SkyRouter on its management port without providing valid credentials. The device fails to properly validate authentication and grants access, allowing the attacker to execute commands or modify settings remotely.

Prerequisites

Network reachability to the SkyRouter's management interface (typically port 80 or 443)
No credentials required

remotely exploitableno authentication requiredlow complexityno patch availabledefault credentials may be present

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (1)

ProductAffected VersionsFix Status

SkyRouter Series 4200 and 4400: all< 6.00.11No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDIsolate SkyRouter management interfaces behind a firewall; restrict access to authorized engineering workstations or management networks only

WORKAROUNDDisable remote management features on the SkyRouter if not actively required for operations

HARDENINGMonitor network logs for unauthorized access attempts to the SkyRouter management port

Mitigations - no patch available

0/2

SkyRouter Series 4200 and 4400: all has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to separate building automation systems from general IT networks

HARDENINGEvaluate replacement or upgrade to a patched SkyRouter model or alternative vendor product that receives security updates

CVEs (1)

CVE-2017-14000

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/43038735-fccb-44f5-8d2c-d7df049c621b