Johnson Controls Sensormatic Electronics American Dynamics victor Web Client and Software House C•CURE Web Client (Update A)

Plan PatchCVSS 7.1ICS-CERT ICSA-20-282-01Oct 8, 2020

Johnson Controls

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Sensormatic Electronics American Dynamics victor Web Client and Software House C•CURE Web Client contain an access control vulnerability (CWE-285) that allows an unauthenticated attacker on the adjacent network to delete arbitrary files or cause denial-of-service. The vulnerability affects Software House C•CURE Web Client all versions through 2.80 and American Dynamics victor Web Client all versions through 5.4.1. No public exploits are currently known, and the vulnerability is not remotely exploitable from the Internet.

What this means

What could happen

An attacker on your local network could delete critical files from the web client system, potentially disabling access control and security monitoring capabilities for physical access and alarm management. This could render security systems inoperable or cause significant operational disruption.

Who's at risk

Security system operators and facility managers using Johnson Controls American Dynamics victor Web Client or Software House C•CURE Web Client for physical access control and alarm management. This affects building security, data center access control, and facility monitoring systems that depend on these web interfaces.

How it could be exploited

An attacker must be on the same local network segment (adjacent network) as the affected web client. They send an unauthenticated request to delete arbitrary files through the vulnerable access control mechanism, which does not properly validate the request. This allows deletion of system files without needing credentials or user interaction.

Prerequisites

Network access to the web client from the same local network segment (not from the Internet)
No credentials required
No authentication required

no authentication requiredlow complexityaffects safety/security systemsrequires adjacent network access onlyno public exploits known

Exploitability

Unlikely to be exploited — EPSS score 1.0%

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Software House Câ€¢CURE Web Client: All≤ 2.80No fix yet

American Dynamics victor Web Client: All≤ 5.4.15.6

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate the web client system on a separate network segment from untrusted devices and limit access to authorized personnel only

WORKAROUNDImplement firewall rules to restrict access to the web client to only necessary ports and authorized IP addresses

HARDENINGDo not expose the web client to the Internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade American Dynamics victor Web Client to version 5.6 or later

HOTFIXUpgrade Software House C•CURE Web Client to version 2.70 or later, then apply the appropriate security update (WebClient_c2.70_5.2_Update02 for v2.70, or WebClient_c2.80_v5.4.1_Update04 for v2.80)

CVEs (1)

CVE-2020-9048

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/417ed6a8-2c46-4d68-b80f-70c674aaa3d5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.