Kastle Systems Access Control System

Plan PatchCVSS 8.6ICS-CERT ICSA-24-263-05Sep 19, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Kastle Systems Access Control System firmware versions prior to May 1, 2024 contain configuration information disclosure vulnerabilities (CWE-798: hardcoded credentials, CWE-312: cleartext storage of sensitive data). An unauthenticated attacker can retrieve sensitive information from the system configuration. Kastle has addressed these vulnerabilities internally on their cloud-hosted platform. No user action is required for cloud customers as the fix is applied server-side.

What this means

What could happen

An attacker with network access could retrieve sensitive information stored in the access control system's configuration, including potentially authentication credentials or security policy details. This could compromise physical security controls for facilities protected by this system.

Who's at risk

Facilities using Kastle Systems cloud-based access control platforms for physical security (building entry, door locks, badge readers). This includes office buildings, industrial sites, government facilities, and any location relying on Kastle for centralized access control.

How it could be exploited

An attacker on the network could send unauthenticated requests to the access control system to extract configuration data containing sensitive information. Since this is a cloud-hosted solution, the attacker would need network reachability to Kastle Systems' cloud platform (likely HTTPS on standard ports).

Prerequisites

Network access to Kastle Systems cloud platform (typical HTTPS endpoints)
No authentication required to trigger information disclosure
System running firmware dated before May 1, 2024

remotely exploitableno authentication requiredaffects physical security systemslow complexity

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Access Control System Firmware: <May_1_2024<May 1 2024Fix available

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXVerify that your Kastle Systems access control firmware has been updated to the version released after May 1, 2024 through your Kastle Systems account or dashboard

CVEs (2)

CVE-2024-45861 CVE-2024-45862

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e57afe3-6ec2-4121-84ba-43644a4e1cae

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.