OTPulse
FeedAboutContact

Johnson Controls Sensormatic Electronics American Dynamics victor Web Client and Software House C•CURE Web Client (Update A)

Plan Patch7.1ICS-CERT ICSA-20-282-01Oct 8, 2020
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls Sensormatic Electronics American Dynamics victor Web Client and Software House C•CURE Web Client contain an access control vulnerability (CWE-285) that allows an unauthenticated attacker on the adjacent network to delete arbitrary files or cause denial-of-service. The vulnerability affects Software House C•CURE Web Client all versions through 2.80 and American Dynamics victor Web Client all versions through 5.4.1. No public exploits are currently known, and the vulnerability is not remotely exploitable from the Internet.

What this means
What could happen
An attacker on your local network could delete critical files from the web client system, potentially disabling access control and security monitoring capabilities for physical access and alarm management. This could render security systems inoperable or cause significant operational disruption.
Who's at risk
Security system operators and facility managers using Johnson Controls American Dynamics victor Web Client or Software House C•CURE Web Client for physical access control and alarm management. This affects building security, data center access control, and facility monitoring systems that depend on these web interfaces.
How it could be exploited
An attacker must be on the same local network segment (adjacent network) as the affected web client. They send an unauthenticated request to delete arbitrary files through the vulnerable access control mechanism, which does not properly validate the request. This allows deletion of system files without needing credentials or user interaction.
Prerequisites
  • Network access to the web client from the same local network segment (not from the Internet)
  • No credentials required
  • No authentication required
no authentication requiredlow complexityaffects safety/security systemsrequires adjacent network access onlyno public exploits known
Exploitability
Low exploit probability (EPSS 1.0%)
Affected products (2)
1 with fix1 pending
ProductAffected VersionsFix Status
Software House C•CURE Web Client: All≤ 2.80No fix yet
American Dynamics victor Web Client: All≤ 5.4.15.6
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGIsolate the web client system on a separate network segment from untrusted devices and limit access to authorized personnel only
WORKAROUNDImplement firewall rules to restrict access to the web client to only necessary ports and authorized IP addresses
HARDENINGDo not expose the web client to the Internet or untrusted networks
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade American Dynamics victor Web Client to version 5.6 or later
HOTFIXUpgrade Software House C•CURE Web Client to version 2.70 or later, then apply the appropriate security update (WebClient_c2.70_5.2_Update02 for v2.70, or WebClient_c2.80_v5.4.1_Update04 for v2.80)
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/417ed6a8-2c46-4d68-b80f-70c674aaa3d5
Johnson Controls Sensormatic Electronics American Dynamics victor Web Client and Software House C•CURE Web Client (Update A) | CVSS 7.1 - OTPulse