Johnson Controls Entrapass

Plan Patch8.3ICS-CERT ICSA-21-336-02Dec 2, 2021

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Entrapass contains an information disclosure vulnerability (CWE-200) affecting all versions below 8.40. An unauthorized user with local network access could view sensitive data, including access credentials and system configuration information, without authentication. The vulnerability is not remotely exploitable and requires presence on the network segment where Entrapass operates.

What this means

What could happen

An unauthorized user with network access to an Entrapass system could view sensitive credential data, potentially including access codes and system configuration details used to control building access.

Who's at risk

Building access control operators and IT managers responsible for Johnson Controls Entrapass systems. This affects any facility using Entrapass for card access, door lock control, and credential management in office buildings, data centers, and utility facilities.

How it could be exploited

An attacker on the same network segment as the Entrapass system (local network access only) could directly query or intercept unencrypted or weakly protected credential data without authentication. The vulnerability requires no credentials and no complex attack steps.

Prerequisites

Local network access to the Entrapass system
No authentication required
System must be on a network the attacker can reach

No authentication requiredLow complexityDefault or weak credential handlingAffects access control systemsAll versions below 8.40 vulnerable

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Entrapass: All< 8.408.40

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate the Entrapass system on a dedicated network segment behind a firewall, separate from the business network and the Internet

HARDENINGRestrict network access to Entrapass to only authorized management workstations and administrative devices using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Entrapass to Version 8.40 or later

HARDENINGIf remote access to Entrapass is required, require use of a VPN with current security patches

CVEs (1)

CVE-2021-36198

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/613e7584-1ab1-4b7f-a218-09558f880233