Vulnerability Description
KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Knx | Connection Authorization | - |
Related Weaknesses (CWE)
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01Third Party AdvisoryUS Government Resource
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2023-4346?
CVE-2023-4346 is a vulnerability with a CVSS score of 7.5 (HIGH). KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the devi...
How severe is CVE-2023-4346?
CVE-2023-4346 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4346?
Check the references section above for vendor advisories and patch information. Affected products include: Knx Connection Authorization.