Kastle Systems Access Control System

Plan Patch8.6ICS-CERT ICSA-24-263-05Sep 19, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Kastle Systems Access Control System contains hardcoded credentials and insecure storage of sensitive information (CWE-798, CWE-312). Successful exploitation allows an attacker with network access to read sensitive data without authentication, including user credentials, access logs, and system configuration. The affected firmware versions are those released before May 1, 2024. Kastle has fixed the vulnerabilities internally in their cloud infrastructure; no update is required from users, but organizations should audit their systems for signs of compromise.

What this means

What could happen

An attacker with network access could read sensitive information from the access control system, such as user credentials, access logs, or configuration data. This could enable unauthorized building access or further attacks on facility operations.

Who's at risk

Any organization using Kastle Systems access control products, including municipal facilities, utilities, offices, and data centers that rely on this cloud service for badge access, door lock management, or visitor logs.

How it could be exploited

An attacker on the network sends requests to the cloud-hosted access control system to retrieve sensitive data without authentication. The system fails to properly protect stored credentials or configuration information, allowing the attacker to download or view this data directly.

Prerequisites

Network access to the Kastle Systems cloud-hosted service
No authentication required

Remotely exploitableNo authentication requiredLow complexityCloud-hosted system (vendor patches automatically)Information disclosure risk (credentials and logs)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Access Control System Firmware: <May_1_2024<May 1 2024Fix available

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXVerify with Kastle Systems that the cloud service has been patched; no action is required on your end as Kastle manages the fix internally

HARDENINGReview access logs and user activity in your Kastle system to detect any unauthorized credential access or configuration changes dating back to May 1, 2024 or earlier

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGAudit which users and systems have API keys or service accounts for the Kastle system and rotate any that may be at risk

Long-term hardening

0/1

HARDENINGImplement network monitoring to detect unusual outbound connections from workstations to the Kastle cloud platform that may indicate credential harvesting

CVEs (2)

CVE-2024-45861 CVE-2024-45862

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e57afe3-6ec2-4121-84ba-43644a4e1cae