OTPulse
FeedAboutContact

Johnson Controls Sensormatic Electronics American Dynamics victor Web Client

Plan Patch7.1ICS-CERT ICSA-20-324-01Nov 17, 2020
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

American Dynamics victor Web Client and Software House C•CURE Web Client contain an authentication bypass vulnerability. An unauthenticated attacker on the network can create and sign a forged JSON web token (JWT) and use it to execute HTTP API commands without valid credentials. This could be exploited to conduct denial-of-service attacks or impact system availability. The vulnerability affects victor Web Client and C•CURE Web Client versions below 2.90. C•CURE 9000 v2.90 and later (new web-based client introduced in v2.90) are not affected.

What this means
What could happen
An attacker on your network could bypass authentication on the victor or C•CURE Web Client and run administrative API commands, potentially disrupting security and access control operations or causing a denial-of-service condition.
Who's at risk
Organizations using Johnson Controls American Dynamics victor Web Client or Software House C•CURE Web Client for building access control and security management. This includes facilities managers, security teams, and IT administrators at enterprise buildings, campuses, data centers, and critical infrastructure sites that rely on these systems for physical security.
How it could be exploited
An attacker with network access to the Web Client can craft and sign a fraudulent JSON web token (JWT) without valid credentials. This token is accepted by the HTTP API, allowing the attacker to execute administrative commands. The attacker must be on the same network segment but requires no user interaction or special configuration.
Prerequisites
  • Network access to the American Dynamics victor Web Client or C•CURE Web Client HTTP API port
  • No valid credentials required
  • Attacker must be on the same network segment (AV:A in CVSS indicates Adjacent Network access)
Remotely exploitable on adjacent networksNo authentication requiredLow complexity attackAffects building access control system availabilityNo patch available for C•CURE versions below 2.70
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
American Dynamics victor Web Client, Software House C•CURE Web Client - NOTE: This does not affect the new web-based C•CURE 9000 client that was introduced in C•CURE 9000 v2.90< 2.90v5.6 SP1
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict network access to the Web Client—place it behind a firewall and do not expose to the Internet or untrusted networks
WORKAROUNDIf remote access is required, use a VPN and keep it updated to the latest version
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade victor Web Client to v5.6 SP1 (victor Unified Client v5.6 SP1)
HOTFIXUpgrade C•CURE Web Client to v2.70 or later and install the corresponding security update (Web Client_c2.70_5.2_Update02 for v2.70, Web Client_c2.80_v5.4.1_Update04 for v2.80, or CCureWeb_2.90_Update01 for v2.90)
Long-term hardening
0/1
HARDENINGIsolate building automation system networks from the business network using network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2ecce92b-f50d-4625-804e-16f5f079bd45
Johnson Controls Sensormatic Electronics American Dynamics victor Web Client | CVSS 7.1 - OTPulse