Johnson Controls Software House C-CURE 9000 and American Dynamics victor VMS

Plan PatchCVSS 9.9ICS-CERT ICSA-20-142-01May 21, 2020

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Johnson Controls Software House C-CURE 9000 (version 2.7 and earlier) and American Dynamics victor Video Management System (version 5.2 and earlier) allows authenticated users to access credentials stored within the application. The application stores integration credentials in an insecure manner that can be retrieved by users with valid login accounts. Successful exploitation allows an attacker to obtain credentials used by the application to authenticate to downstream systems such as databases or directory services, potentially compromising those systems as well. The vulnerability is stored in log files under c:\\programdata\\tyco\\installertemp.

What this means

What could happen

An attacker with valid user credentials could extract stored credentials used by the application to authenticate to external systems or databases, potentially allowing them to compromise downstream infrastructure and systems.

Who's at risk

This affects organizations operating physical access control systems and video surveillance management, particularly those using Johnson Controls or American Dynamics equipment. Water authorities and municipal utilities with perimeter security, employee access control, or video monitoring rely on these systems. Facility managers and security staff operating these systems should be aware that authenticated users could potentially compromise the credentials these systems use to integrate with other infrastructure systems.

How it could be exploited

An attacker with valid login credentials for either the C-CURE 9000 access control application or victor VMS can access the application and retrieve stored credentials from the application's storage. These credentials may include accounts for databases, directory services, or other integrated systems.

Prerequisites

Valid user credentials (username/password) for the vulnerable application
Network access to the C-CURE 9000 or victor VMS application interface
Access to the affected application software (not remotely exploitable from the network perimeter)

Requires valid user credentials to exploitAllows credential disclosure that could compromise downstream systemsProducts are end-of-life with no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Software House Câ€¢CURE 9000:2.7No fix yet

American Dynamics victor Video Management System:5.25.3+

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDelete log files from c:\programdata\tyco\installertemp to remove cached credentials

WORKAROUNDChange the password for the Windows account used by the C-CURE 9000 and victor VMS services

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Software House C-CURE 9000 to Version 2.80 or later

HOTFIXUpgrade American Dynamics victor Video Management System to Version 5.3 or later

Long-term hardening

0/2

HARDENINGRestrict network access to C-CURE 9000 and victor VMS to authorized personnel only using firewall rules and network segmentation

HARDENINGIsolate the access control and video management networks from the general IT business network

CVEs (1)

CVE-2020-9045

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4561465e-2864-48e4-abf3-34612213a65a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.