Johnson Controls Software House iStar Door Controller (Update A)
Act Now9.1ICS-CERT ICSA-24-158-04Jun 6, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A critical authentication bypass vulnerability (CWE-306) exists in Johnson Controls Software House iStar door controllers that allows attackers to gain unauthorized access without valid credentials. The iStar Pro, Edge, and eX controllers in all versions are vulnerable with no patch planned. The iStar Ultra and Ultra LT controllers are vulnerable in firmware versions prior to 6.6.B. The iSTAR Configuration Utility (ICU) tool can be weaponized to push configuration changes to vulnerable controllers, potentially allowing attackers to alter access control settings, disable alarms, or modify user permissions.
What this means
What could happen
An attacker could bypass authentication on iStar Pro/Edge/eX door controllers and gain unauthorized access, allowing them to alter access control settings, unlock doors, or lock out legitimate users from securing facilities.
Who's at risk
Building access control systems in energy sector facilities using Johnson Controls iStar door controllers. Facilities relying on these controllers for badge reader integration, keypad access, or emergency exit control systems should be reviewed. Affects all iStar Pro, Edge, and eX models (no patched version available) and iStar Ultra/Ultra LT models with firmware versions below 6.6.B.
How it could be exploited
An attacker with network access to the door controller can send specially crafted requests that bypass the authentication mechanism. The iSTAR Configuration Utility (ICU) tool can be used to push malicious configuration changes to affected controllers without valid credentials.
Prerequisites
- Network reachability to the iStar door controller
- iStar Pro, Edge, or eX controller (any version) OR iStar Ultra/Ultra LT running firmware prior to 6.6.B
remotely exploitableno authentication requiredlow complexityno patch available for Pro/Edge/eX modelsaffects physical security systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
2 pending1 EOL
ProductAffected VersionsFix Status
Software House iStar Pro, Edge and eX door controllers: vers:all/*All versionsNo fix yet
Software House iStar Ultra and Ultra LT door controllers: <Firmware_6.6.B<Firmware 6.6.BNo fix yet
iSTAR Configuration Utility (ICU) Tool: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2iSTAR Configuration Utility (ICU) Tool: vers:all/*
HARDENINGDisable or restrict the iSTAR Configuration Utility (ICU) tool from being accessible from untrusted networks
All products
HARDENINGImplement network segmentation to restrict access to door controller management interfaces from only authorized engineering workstations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXReplace iStar Pro, Edge, and eX door controllers with current-generation units (iStar Ultra G2 or Edge G2) that include proper authentication
HOTFIXFor iStar Ultra and Ultra LT controllers still in service, update to firmware version 6.6.B or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bd001b03-be1d-4283-83d0-ae80228c0546