Johnson Controls Software House C-CURE 9000 and American Dynamics victor VMS
Act Now9.9ICS-CERT ICSA-20-142-01May 21, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Johnson Controls Software House C-CURE 9000 (version 2.7 and earlier) and American Dynamics victor Video Management System (version 5.2 and earlier) allows authenticated users to access credentials stored within the application. The application stores integration credentials in an insecure manner that can be retrieved by users with valid login accounts. Successful exploitation allows an attacker to obtain credentials used by the application to authenticate to downstream systems such as databases or directory services, potentially compromising those systems as well. The vulnerability is stored in log files under c:\\programdata\\tyco\\installertemp.
What this means
What could happen
An attacker with valid user credentials could extract stored credentials used by the application to authenticate to external systems or databases, potentially allowing them to compromise downstream infrastructure and systems.
Who's at risk
This affects organizations operating physical access control systems and video surveillance management, particularly those using Johnson Controls or American Dynamics equipment. Water authorities and municipal utilities with perimeter security, employee access control, or video monitoring rely on these systems. Facility managers and security staff operating these systems should be aware that authenticated users could potentially compromise the credentials these systems use to integrate with other infrastructure systems.
How it could be exploited
An attacker with valid login credentials for either the C-CURE 9000 access control application or victor VMS can access the application and retrieve stored credentials from the application's storage. These credentials may include accounts for databases, directory services, or other integrated systems.
Prerequisites
- Valid user credentials (username/password) for the vulnerable application
- Network access to the C-CURE 9000 or victor VMS application interface
- Access to the affected application software (not remotely exploitable from the network perimeter)
Requires valid user credentials to exploitAllows credential disclosure that could compromise downstream systemsProducts are end-of-life with no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
1 with fix1 pending
ProductAffected VersionsFix Status
Software House C•CURE 9000:2.7No fix yet
American Dynamics victor Video Management System:5.25.3 or later
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDelete log files from c:\programdata\tyco\installertemp to remove cached credentials
WORKAROUNDChange the password for the Windows account used by the C-CURE 9000 and victor VMS services
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Software House C-CURE 9000 to Version 2.80 or later
HOTFIXUpgrade American Dynamics victor Video Management System to Version 5.3 or later
Long-term hardening
0/2HARDENINGRestrict network access to C-CURE 9000 and victor VMS to authorized personnel only using firewall rules and network segmentation
HARDENINGIsolate the access control and video management networks from the general IT business network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4561465e-2864-48e4-abf3-34612213a65a