OTPulse
FeedAboutContact

Johnson Controls CEM Systems AC2000

Act Now7.8ICS-CERT ICSA-21-334-04Nov 30, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls CEM Systems AC2000 contains a privilege escalation vulnerability in sudo that allows a local attacker with user-level privileges to obtain super user (root) access on the underlying Linux operating system. Affected versions are AC2000 prior to version 10.6. Version 10.6 and later include a fixed version of sudo.

What this means
What could happen
An attacker with local access to an AC2000 system could gain root-level control of the building automation server, allowing them to modify setpoints, disable alarms, shut down HVAC or other critical building systems, or insert persistent malware.
Who's at risk
Building automation operators and facility managers running Johnson Controls CEM Systems AC2000 before version 10.6 should be aware this affects control of HVAC, lighting, access control, and other critical building systems that the AC2000 platform manages.
How it could be exploited
An attacker with a valid user account on the AC2000 Linux server (or who has gained initial local access) could exploit a flaw in sudo to escalate privileges to root. Once root, they have complete control over the building automation system and all connected devices.
Prerequisites
  • Valid user account on AC2000 server (non-root)
  • Local access to the AC2000 system (physical access or prior compromise to gain login access)
  • AC2000 version prior to 10.6
Actively exploited (KEV)High EPSS score (92.5%)Local privilege escalationNo patch available for older versionsAffects building automation and HVAC systemsLow complexity attack
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
CEM Systems AC2000: All< 10.610.6
Remediation & Mitigation
0/4
Do now
0/2
HOTFIXUpgrade AC2000 to version 10.6 or later
WORKAROUNDRemove sudo package from AC2000 servers running versions prior to 10.6 by executing: rpm -e sudo
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict local login access to AC2000 servers to authorized personnel only; disable unnecessary user accounts
Long-term hardening
0/1
HARDENINGImplement role-based access control to limit which users have login privileges to AC2000 systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8a0f800a-d02e-42f7-9417-93de5d208a30
Johnson Controls CEM Systems AC2000 | CVSS 7.8 - OTPulse