CVE-2024-41717 - Vulnerability Details

Kieback & Peter's DDC4000 series is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01145.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Kieback\&peter	Ddc4002 Firmware Ddc4002e Firmware Ddc4020e Firmware Ddc4040e Firmware Ddc4100 Firmware Ddc4200-l Firmware Ddc4200 Firmware Ddc4200e Firmware Ddc4400 Firmware Ddc4400e Firmware

No data.

Fixes

Solution

Kieback&Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are considered End-of-Life (EOL) and are no longer supported. Users operating these controllers should ensure they are operated in a strictly separate OT environment and consider updating to a supported controller. Kieback&Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers. Kieback&Peter recommends all affected users contact their local Kieback&Peter office to update the firmware of the supported DDC systems to v1.21.0 or later.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-05

History

Wed, 23 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kieback\&peter Kieback\&peter ddc4002 Firmware Kieback\&peter ddc4002e Firmware Kieback\&peter ddc4020e Firmware Kieback\&peter ddc4040e Firmware Kieback\&peter ddc4100 Firmware Kieback\&peter ddc4200-l Firmware Kieback\&peter ddc4200 Firmware Kieback\&peter ddc4200e Firmware Kieback\&peter ddc4400 Firmware Kieback\&peter ddc4400e Firmware
CPEs		cpe:2.3:o:kieback\&peter:ddc4002_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4002e_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4020e_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4040e_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4100_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4200-l_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4200_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4200e_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4400_firmware:::::::: cpe:2.3:o:kieback\&peter:ddc4400e_firmware::::::::
Vendors & Products		Kieback\&peter Kieback\&peter ddc4002 Firmware Kieback\&peter ddc4002e Firmware Kieback\&peter ddc4020e Firmware Kieback\&peter ddc4040e Firmware Kieback\&peter ddc4100 Firmware Kieback\&peter ddc4200-l Firmware Kieback\&peter ddc4200 Firmware Kieback\&peter ddc4200e Firmware Kieback\&peter ddc4400 Firmware Kieback\&peter ddc4400e Firmware
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 22 Oct 2024 21:30:00 +0000

Type	Values Removed	Values Added
Description		Kieback & Peter's DDC4000 series is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.
Title		Kieback&Peter DDC4000 Series Path Traversal
Weaknesses		CWE-22
References		https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-05
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-10-22T21:13:37.183Z

Updated: 2024-10-23T14:43:52.114Z

Reserved: 2024-08-21T18:03:31.239Z

Link: CVE-2024-41717

Vulnrichment

Updated: 2024-10-23T14:43:25.337Z

NVD

Status : Awaiting Analysis

Published: 2024-10-22T22:15:04.580

Modified: 2024-10-23T15:12:34.673

Link: CVE-2024-41717

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object