ICSA-20-070-04_Johnson Controls Kantech EntraPass

Plan PatchCVSS 9.8ICS-CERT ICSA-20-070-04Mar 10, 2020

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Input validation vulnerability in Johnson Controls EntraPass Global Edition and Corporate Edition (all versions before 8.10) allows remote code execution without authentication. CWE-20 (Improper Input Validation) in EntraPass server processing.

What this means

What could happen

An attacker without credentials could execute arbitrary code on the EntraPass server and gain full administrative control over physical access systems, potentially preventing authorized personnel from accessing facilities or allowing unauthorized entry.

Who's at risk

Organizations operating Johnson Controls EntraPass physical access control systems, particularly in municipal facilities, office buildings, data centers, and other secure locations that depend on card reader access systems for building security.

How it could be exploited

An attacker on the network sends a crafted request to the EntraPass server on its management port. The server fails to properly validate input and executes arbitrary code with system privileges. From there, the attacker can modify access control policies, disable alarms, or lock out legitimate users from the building.

Prerequisites

Network access to EntraPass server management port
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for legacy versions

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EntraPass Global Edition: All< 8.108.10+

EntraPass Corporate Edition: All< 8.108.10+

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDFor systems unable to upgrade, obtain and implement temporary workaround instructions from Johnson Controls Product Security Advisory

HARDENINGRestrict network access to EntraPass server management ports to authorized engineering and administrative networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to EntraPass Version 8.10 or later

CVEs (1)

CVE-2019-7589

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dfa85cd2-553c-4f04-871d-0322d85ed845

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.