Johnson Controls Sensormatic Electronics American Dynamics victor Web Client

Plan PatchCVSS 7.1ICS-CERT ICSA-20-324-01Nov 17, 2020

Johnson Controls

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

American Dynamics victor Web Client and Software House C•CURE Web Client contain an authentication bypass vulnerability. An unauthenticated attacker on the network can create and sign a forged JSON web token (JWT) and use it to execute HTTP API commands without valid credentials. This could be exploited to conduct denial-of-service attacks or impact system availability. The vulnerability affects victor Web Client and C•CURE Web Client versions below 2.90. C•CURE 9000 v2.90 and later (new web-based client introduced in v2.90) are not affected.

What this means

What could happen

An attacker on your network could bypass authentication on the victor or C•CURE Web Client and run administrative API commands, potentially disrupting security and access control operations or causing a denial-of-service condition.

Who's at risk

Organizations using Johnson Controls American Dynamics victor Web Client or Software House C•CURE Web Client for building access control and security management. This includes facilities managers, security teams, and IT administrators at enterprise buildings, campuses, data centers, and critical infrastructure sites that rely on these systems for physical security.

How it could be exploited

An attacker with network access to the Web Client can craft and sign a fraudulent JSON web token (JWT) without valid credentials. This token is accepted by the HTTP API, allowing the attacker to execute administrative commands. The attacker must be on the same network segment but requires no user interaction or special configuration.

Prerequisites

Network access to the American Dynamics victor Web Client or C•CURE Web Client HTTP API port
No valid credentials required
Attacker must be on the same network segment (AV:A in CVSS indicates Adjacent Network access)

Remotely exploitable on adjacent networksNo authentication requiredLow complexity attackAffects building access control system availabilityNo patch available for C•CURE versions below 2.70

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

American Dynamics victor Web Client, Software House Câ€¢CURE Web Client - NOTE: This does not affect the new web-based Câ€¢CURE 9000 client that was introduced in Câ€¢CURE 9000 v2.90< 2.90v5.6 SP1

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to the Web Client—place it behind a firewall and do not expose to the Internet or untrusted networks

WORKAROUNDIf remote access is required, use a VPN and keep it updated to the latest version

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade victor Web Client to v5.6 SP1 (victor Unified Client v5.6 SP1)

HOTFIXUpgrade C•CURE Web Client to v2.70 or later and install the corresponding security update (Web Client_c2.70_5.2_Update02 for v2.70, Web Client_c2.80_v5.4.1_Update04 for v2.80, or CCureWeb_2.90_Update01 for v2.90)

Long-term hardening

0/1

HARDENINGIsolate building automation system networks from the business network using network segmentation

CVEs (1)

CVE-2020-9049

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2ecce92b-f50d-4625-804e-16f5f079bd45

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.