Johnson Controls Software House iStar Door Controller (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-24-158-04Jun 6, 2024

Johnson ControlsEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A critical authentication bypass vulnerability (CWE-306) exists in Johnson Controls Software House iStar door controllers that allows attackers to gain unauthorized access without valid credentials. The iStar Pro, Edge, and eX controllers in all versions are vulnerable with no patch planned. The iStar Ultra and Ultra LT controllers are vulnerable in firmware versions prior to 6.6.B. The iSTAR Configuration Utility (ICU) tool can be weaponized to push configuration changes to vulnerable controllers, potentially allowing attackers to alter access control settings, disable alarms, or modify user permissions.

What this means

What could happen

An attacker could bypass authentication on iStar Pro/Edge/eX door controllers and gain unauthorized access, allowing them to alter access control settings, unlock doors, or lock out legitimate users from securing facilities.

Who's at risk

Building access control systems in energy sector facilities using Johnson Controls iStar door controllers. Facilities relying on these controllers for badge reader integration, keypad access, or emergency exit control systems should be reviewed. Affects all iStar Pro, Edge, and eX models (no patched version available) and iStar Ultra/Ultra LT models with firmware versions below 6.6.B.

How it could be exploited

An attacker with network access to the door controller can send specially crafted requests that bypass the authentication mechanism. The iSTAR Configuration Utility (ICU) tool can be used to push malicious configuration changes to affected controllers without valid credentials.

Prerequisites

Network reachability to the iStar door controller
iStar Pro, Edge, or eX controller (any version) OR iStar Ultra/Ultra LT running firmware prior to 6.6.B

remotely exploitableno authentication requiredlow complexityno patch available for Pro/Edge/eX modelsaffects physical security systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (3)

2 pending1 EOL

ProductAffected VersionsFix Status

Software House iStar Pro, Edge and eX door controllers: vers:all/*All versionsNo fix yet

Software House iStar Ultra and Ultra LT door controllers: <Firmware_6.6.B<Firmware 6.6.BNo fix yet

iSTAR Configuration Utility (ICU) Tool: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

iSTAR Configuration Utility (ICU) Tool: vers:all/*

HARDENINGDisable or restrict the iSTAR Configuration Utility (ICU) tool from being accessible from untrusted networks

All products

HARDENINGImplement network segmentation to restrict access to door controller management interfaces from only authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXReplace iStar Pro, Edge, and eX door controllers with current-generation units (iStar Ultra G2 or Edge G2) that include proper authentication

HOTFIXFor iStar Ultra and Ultra LT controllers still in service, update to firmware version 6.6.B or later

CVEs (1)

CVE-2024-32752

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bd001b03-be1d-4283-83d0-ae80228c0546

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.