Sensormatic Electronics iSTAR

Act Now10ICS-CERT ICSA-22-242-11Aug 30, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated attacker can send a malicious network request to an iSTAR Ultra device and execute arbitrary commands with root privileges. This vulnerability affects all versions of iSTAR Ultra before firmware 6.8.9 CU01. Johnson Controls has released patched firmware (version 6.8.9 CU01) to address this issue.

What this means

What could happen

An attacker can run arbitrary commands with root privileges on the iSTAR Ultra security system without any authentication, potentially disabling access controls, tampering with surveillance logs, or locking legitimate users out of facilities.

Who's at risk

Security and access control system operators at facilities using Johnson Controls Sensormatic Electronics iSTAR Ultra for building access and surveillance. This includes corporate offices, data centers, manufacturing plants, utilities, and any facility relying on this system for physical security.

How it could be exploited

An attacker sends a specially crafted network request to the iSTAR Ultra device over the network. The device accepts the request without requiring authentication and executes it as the root user, allowing the attacker to run any command they choose.

Prerequisites

Network access to the iSTAR Ultra management interface (typically port 80 or 443)
Device running firmware version older than 6.8.9 CU01

Remotely exploitable over the networkNo authentication requiredLow complexity exploitationHigh EPSS score (19.7%)Affects security system that controls facility accessRuns as root (highest privilege level)

Exploitability

High exploit probability (EPSS 19.7%)

Affected products (1)

ProductAffected VersionsFix Status

iSTAR Ultra: All< 6.8.9 CU016.8.9 CU01

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the iSTAR Ultra device: place it behind a firewall and block all inbound connections from the Internet and untrusted networks

HARDENINGIf remote access is required, route all connections through a VPN with current security patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iSTAR Ultra firmware to version 6.8.9 CU01 or later

Long-term hardening

0/1

HARDENINGSegment the iSTAR Ultra device from business networks; keep it on a dedicated security system network with limited interconnections

CVEs (1)

CVE-2022-21941

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/873d435c-beaf-4a11-88cd-a48c5ccf72e1