Automated Logic Corporation WebCTRL, i-VU, SiteScan
Plan Patch8.3ICS-CERT ICSA-17-234-01Aug 22, 2017
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Automated Logic Corporation WebCTRL, i-Vu, and SiteScan Web products contain multiple vulnerabilities that allow authenticated users to upload arbitrary files and manipulate file paths on the server. Vulnerable versions: WebCTRL i-Vu SiteScan Web 6.5 and prior, WebCTRL i-Vu 6.0 and prior, WebCTRL SiteScan Web 6.1 and prior. These products are used for centralized building automation control including HVAC, lighting, and energy management. An attacker with valid engineering credentials could exploit these weaknesses to execute arbitrary code on the automation server.
What this means
What could happen
An attacker with engineering credentials could upload malicious files to the system or manipulate file paths, potentially executing arbitrary code on the building automation server and compromising control of HVAC, lighting, and other facility systems.
Who's at risk
Building automation operators at facilities using Automated Logic Corporation WebCTRL for HVAC, lighting, and other controls. This includes commercial office buildings, hospitals, schools, and manufacturing plants with Johnson Controls systems.
How it could be exploited
An attacker with valid engineering workstation credentials accesses the WebCTRL web interface over the network, uses a path traversal or arbitrary file upload vulnerability to place malicious files on the server, and executes them to gain command-line access to the building automation system.
Prerequisites
- Valid engineering credentials for WebCTRL
- Network access to WebCTRL web interface (typically port 80 or 443)
- JavaScript enabled in client browser (for UI interaction)
remotely exploitablerequires valid credentialslow exploit complexitypath traversal and arbitrary file upload vulnerabilitiesaffects building automation and critical facility controlsno patch available for affected versions
Exploitability
Moderate exploit probability (EPSS 3.2%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
ALC WebCTRL i-Vu SiteScan Web: 6.5 and prior≤ 6.5No fix (EOL)
ALC WebCTRL i-Vu: 6.0 and prior≤ 6.0No fix (EOL)
ALC WebCTRL SiteScan Web: 6.1 and prior≤ 6.1No fix (EOL)
ALC WebCTRL i-Vu SiteScan Web: 5.5 and prior≤ 5.5No fix (EOL)
ALC WebCTRL i-Vu SiteScan Web: 5.2 and prior≤ 5.2No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRestrict network access to WebCTRL administrative interfaces using firewall rules; allow only trusted engineering workstations
HARDENINGEnforce strong authentication for engineering accounts; require multi-factor authentication if available
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor and audit file uploads and system modifications on WebCTRL servers
HOTFIXContact Johnson Controls for security patches when they become available; plan an upgrade strategy for end-of-life products
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: ALC WebCTRL i-Vu SiteScan Web: 6.5 and prior, ALC WebCTRL i-Vu: 6.0 and prior, ALC WebCTRL SiteScan Web: 6.1 and prior, ALC WebCTRL i-Vu SiteScan Web: 5.5 and prior, ALC WebCTRL i-Vu SiteScan Web: 5.2 and prior. Apply the following compensating controls:
HARDENINGSegment the building automation network from corporate IT and internet-connected systems
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/96e9d311-d067-47cf-8a6c-97102fdf70fb