Johnson Controls OpenBlue Enterprise Manager Data Collector

Plan PatchCVSS 10ICS-CERT ICSA-23-138-04May 22, 2023

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 contain authentication bypass vulnerabilities in API endpoints (CWE-287 improper authentication and CWE-200 information exposure). Successful exploitation allows an attacker to make unauthenticated API calls to the Data Collector, exposing sensitive information such as building configuration, operational parameters, occupancy data, and energy usage statistics to unauthorized users. No public exploits currently exist for these vulnerabilities.

What this means

What could happen

An attacker could make unauthenticated API calls to the Data Collector and read sensitive building system data (occupancy, energy usage, configuration details) without credentials. This information could be used to map building operations or identify other systems for attack.

Who's at risk

Building automation and energy management operators should prioritize this issue. Organizations running Johnson Controls OpenBlue Enterprise Manager Data Collector (versions prior to 3.2.5.75) in commercial buildings, hospitals, universities, or industrial facilities are affected. This includes facilities managers, building engineers, and IT/OT teams responsible for HVAC, lighting, energy monitoring, and integrated controls systems.

How it could be exploited

An attacker on the network (or via the Internet if the Data Collector is exposed) sends crafted API requests directly to the OpenBlue Data Collector on its management port. Because authentication is not enforced on certain API endpoints, the requests succeed and return sensitive system information, configuration data, or operational parameters.

Prerequisites

Network reachability to the OpenBlue Data Collector management API port
No special credentials or authentication tokens required for vulnerable API endpoints

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (10.0)Default or unauthenticated access

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

OpenBlue Enterprise Manager Data Collector: < 3.2.5.753.2.5.753.2.5.75

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the Data Collector management API port—allow connections only from authorized engineering workstations and management servers using firewall rules or access control lists

HARDENINGEnsure the Data Collector is not directly reachable from the Internet; place it behind a firewall and on an isolated network segment separate from business networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75 (contact Johnson Controls to obtain the update)

Long-term hardening

0/1

HARDENINGIf remote access to the Data Collector is required, use a VPN with multi-factor authentication and keep VPN software updated

CVEs (2)

CVE-2023-2024 CVE-2023-2025

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a97275f-448b-4617-88d4-9f830ab10870

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.