Johnson Controls System Configuration Tool (SCT)

Plan Patch7.5ICS-CERT ICSA-23-040-03Feb 9, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Johnson Controls System Configuration Tool (SCT) contains cookie handling vulnerabilities (CWE-1004, CWE-614) that could allow an attacker to access session cookies and hijack authenticated user sessions. Successful exploitation requires the user to click a malicious link while logged into SCT. The vulnerabilities affect SCT version 14 before patch 14.2.3 and version 15 before patch 15.0.3. No known public exploits exist, and the vulnerabilities have high attack complexity.

What this means

What could happen

An attacker who tricks a user into opening a malicious link while logged into SCT could steal the user's session cookie and take over their account, gaining access to building automation configuration and control.

Who's at risk

Building automation and HVAC system operators and engineers using Johnson Controls System Configuration Tool for device programming and building control configuration. This affects anyone with access to SCT web interfaces in facilities using Johnson Controls equipment.

How it could be exploited

The attacker crafts a malicious link targeting a user with an active SCT session. When the user clicks the link (requires user interaction), the attacker's code can access the session cookie due to improper cookie handling. The attacker then uses the stolen cookie to impersonate the legitimate user within SCT.

Prerequisites

Active user session in SCT
User clicks attacker-supplied link while logged in
Network access to SCT web interface

Remotely exploitableUser interaction requiredHigh attack complexitySession hijacking capabilityHigh CVSS score (7.5)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

-System Configuration Tool: System Configuration Tool (SCT)< 14.2.314.2.3

-System Configuration Tool: System Configuration Tool (SCT)< 15.0.314.2.3

Remediation & Mitigation

0/5

Do now

0/2

-System Configuration Tool: System Configuration Tool (SCT)

HARDENINGRestrict network access to SCT to authorized engineering workstations only; do not expose SCT web interface to the Internet or business networks

WORKAROUNDRequire users to log out of SCT when stepping away from the workstation and after each session

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate System Configuration Tool version 14 to patch 14.2.3 or later

HOTFIXUpdate System Configuration Tool version 15 to patch 15.0.3 or later

Long-term hardening

0/1

-System Configuration Tool: System Configuration Tool (SCT)

HARDENINGImplement network segmentation between SCT and business/Internet networks using firewalls

CVEs (2)

CVE-2022-21939 CVE-2022-21940

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/36270ee9-80a8-49ae-94c2-7d98e54c1818