WELCOME TO KONE!

Are you interested in KONE as a corporate business or a career opportunity?

Corporate site

Would you like to find out more about the solutions available in your area, including the local contact information, on your respective KONE website?

Your suggested website is

We couldn't determinde a local website for you

Go to the suggested local website

  • Home
  • Security vulnerability list
Back to top

Vulnerabilities in KONE Group Controller (KGC)

Introduction

KONE has become aware of vulnerabilities in its KONE Group Controller (KGC) computer.

KONE Group Controller (KGC) is an elevator group controller computer, installed in the elevator machine room of a building. Its purpose is to optimize the operation of a group of elevators, and it allows features such as destination calls and locking and unlocking floors. Group controller is not an essential component of an elevator control system and vulnerabilities in KGC do not affect the safety of the elevators connected to the group. However, if exploited, the vulnerabilities allow the attacker to modify any configuration parameters of the group controller. Potential consequences depend of the setup:

  • In buildings with elevator destination control system, an attacker can cause denial of elevator service. Elevators will be parked and cannot be called to floors. Buttons in the elevator car will continue to function
  • In buildings with conventional elevator control (=normal call buttons on floors and buttons in the elevator car), an attack can result in the reduction of transport capacity in the building. Elevators will continue to function independently without group control.
  • In buildings with access control integrated to elevators, an attacker can open access to locked floors or close access to floors that are intended to be unlocked.

Exploiting the vulnerabilities requires access to the same LAN with KONE Group Controller (KGC). KGC is installed in a physically secure location, in an elevator machine room, and typically connected to a dedicated network, reserved only for the group controller and destination control system. In buildings with integration to other systems, including KONE E-Link or KONE Access, KONE installation instructions specify a firewall to separate the group control LAN from the building LAN.

KONE has done a safety risk assessment of the vulnerabilities based on ISO 14798:2009 elevator safety standard. That assessment did not indicate safety risks as a result of the vulnerabilities. The most severe consequence identified was disabling of elevators in a building.

KONE has taken action to fix the vulnerabilities and update the existing KGC computers on the field.

The vulnerabilities were reported to KONE by Sebastian Neuner (@sebastian9er) of Google Security Team.


Affected Software and Versions

  • KONE KGC software version 4.6.4 and earlier


Vulnerability Overview

The following CVEs were assigned to the security vulnerabilities:

  • CVE-2018-15484: Unauthenticated Remote Code Execution
  • CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification
  • CVE-2018-15485: FTP without authentication and authorization
  • CVE-2018-15483: Denial of Service


Vulnerability Details

CVE-2018-15484: Unauthenticated Remote Code Execution

Description: By modifying the file autoexec.bat via the web interface using an unauthenticated local file modification method (see CVE-2018-15486), an attacker can inject arbitrary operating systems commands, which get executed at boot time.

CVSS Base Score: 9.6 (Critical)

CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated Local File modification

Description: By modifying the file autoexec.bat via the web interface using an unauthenticated local file modification method (see CVE-2018-15486), an attacker can inject arbitrary operating systems commands, which get executed at boot time.

CVSS Base Score: 9.6 (Critical)

CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


CVE-2018-15485: FTP without authentication and authorization

Description: FTP on the KGC is enabled on port 21 and is not secured by authentication or authorization mechanisms.

CVSS Base Score: 9.6 (Critical)

CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


CVE-2018-15483: Denial of Service

Description: There are several possible ways to cause a denial of service on the KGC. One of them is the possibility to reboot the system via the web interface. An attacker could reboot the system every time it boots back up to interrupt the service and cause a denial of service attack.

CVSS Base Score: 7.4 (High)

CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)


Fixes

Vulnerabilities have been fixed in KGC software version 4.6.5.

In the fixed software version, the HTTP and FTP services are disabled by default, which effectively closes the possibility to attack KGC over the network.

The HTTP and FTP services can be enabled temporarily for maintenance operations by authorized personnel.

Note that even the fixed software version leaves KGC vulnerable to attackers with physical access to the computer. The building owners are recommended to ensure that the access to the KGC is protected by adequate physical access control methods.


Workarounds and Mitigations

Elevator sites that have only closed group controller network can be considered less vulnerable, as the potential attack requires access to the elevator machine room.


Change history:

September 5, 2018: Original version published.