Automated Logic Corporation WebCTRL, i-VU, SiteScan

Plan PatchCVSS 8.3ICS-CERT ICSA-17-234-01Aug 22, 2017

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Automated Logic Corporation WebCTRL, i-Vu, and SiteScan Web products contain multiple vulnerabilities that allow authenticated users to upload arbitrary files and manipulate file paths on the server. Vulnerable versions: WebCTRL i-Vu SiteScan Web 6.5 and prior, WebCTRL i-Vu 6.0 and prior, WebCTRL SiteScan Web 6.1 and prior. These products are used for centralized building automation control including HVAC, lighting, and energy management. An attacker with valid engineering credentials could exploit these weaknesses to execute arbitrary code on the automation server.

What this means

What could happen

An attacker with engineering credentials could upload malicious files to the system or manipulate file paths, potentially executing arbitrary code on the building automation server and compromising control of HVAC, lighting, and other facility systems.

Who's at risk

Building automation operators at facilities using Automated Logic Corporation WebCTRL for HVAC, lighting, and other controls. This includes commercial office buildings, hospitals, schools, and manufacturing plants with Johnson Controls systems.

How it could be exploited

An attacker with valid engineering workstation credentials accesses the WebCTRL web interface over the network, uses a path traversal or arbitrary file upload vulnerability to place malicious files on the server, and executes them to gain command-line access to the building automation system.

Prerequisites

Valid engineering credentials for WebCTRL
Network access to WebCTRL web interface (typically port 80 or 443)
JavaScript enabled in client browser (for UI interaction)

remotely exploitablerequires valid credentialslow exploit complexitypath traversal and arbitrary file upload vulnerabilitiesaffects building automation and critical facility controlsno patch available for affected versions

Exploitability

Some exploitation risk — EPSS score 6.0%

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

ALC WebCTRL i-Vu SiteScan Web: 6.5 and prior≤ 6.5No fix (EOL)

ALC WebCTRL i-Vu: 6.0 and prior≤ 6.0No fix (EOL)

ALC WebCTRL SiteScan Web: 6.1 and prior≤ 6.1No fix (EOL)

ALC WebCTRL i-Vu SiteScan Web: 5.5 and prior≤ 5.5No fix (EOL)

ALC WebCTRL i-Vu SiteScan Web: 5.2 and prior≤ 5.2No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to WebCTRL administrative interfaces using firewall rules; allow only trusted engineering workstations

HARDENINGEnforce strong authentication for engineering accounts; require multi-factor authentication if available

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and audit file uploads and system modifications on WebCTRL servers

HOTFIXContact Johnson Controls for security patches when they become available; plan an upgrade strategy for end-of-life products

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ALC WebCTRL i-Vu SiteScan Web: 6.5 and prior, ALC WebCTRL i-Vu: 6.0 and prior, ALC WebCTRL SiteScan Web: 6.1 and prior, ALC WebCTRL i-Vu SiteScan Web: 5.5 and prior, ALC WebCTRL i-Vu SiteScan Web: 5.2 and prior. Apply the following compensating controls:

HARDENINGSegment the building automation network from corporate IT and internet-connected systems

CVEs (3)

CVE-2017-9644 CVE-2017-9640 CVE-2017-9650

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96e9d311-d067-47cf-8a6c-97102fdf70fb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.