Johnson Controls Kantech Door Controllers

Low RiskCVSS 3.1ICS-CERT ICSA-24-184-01Jul 2, 2024

Johnson Controls

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in Johnson Controls Kantech KT1, KT2, and KT400 door controllers allows an attacker with adjacent network access to extract sensitive information from the device. The vulnerability affects KT1 and KT2 controllers running firmware version 2.09.01 and earlier, and KT400 controllers running version 3.01.16 and earlier. Exploitation requires high attack complexity and proximity to the device's network segment; remote exploitation over the internet is not possible. This vulnerability has a low CVSS score (3.1) and no known public exploitation has been reported.

What this means

What could happen

An attacker with physical or local network access to a Kantech door controller could read sensitive information stored on the device, potentially exposing access control credentials or configuration details.

Who's at risk

Water authorities and municipal utilities that operate Johnson Controls Kantech door access control systems should be concerned. This affects KT1, KT2, and KT400 door controllers used in building access control. The risk is primarily to the confidentiality of access control credentials and device configuration that could be obtained by someone with local network access.

How it could be exploited

An attacker must have adjacent network access (same local network segment) to the door controller and must manipulate the device's configuration through a high-complexity attack vector to extract sensitive data. Remote exploitation over the internet is not possible.

Prerequisites

Adjacent network access to the door controller (same network segment)
High attack complexity required
No credentials required

No authentication requiredLow CVSS score (3.1)No patch available for affected versionsHigh attack complexityAdjacent network access required (not remotely exploitable)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Kantech KT2 Door Controller, Rev01: <=2.09.01≤ 2.09.013.10.12

Kantech KT400 Door Controller, Rev01: <=3.01.16≤ 3.01.163.03

Kantech KT1 Door Controller, Rev01: <=2.09.01≤ 2.09.013.10.12

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Kantech KT1 Door Controller to firmware version 3.10.12 or later

HOTFIXUpdate Kantech KT2 Door Controller to firmware version 3.10.12 or later

HOTFIXUpdate Kantech KT400 Door Controller to firmware version 3.03 or later

Long-term hardening

0/3

HARDENINGIsolate door controller networks from business networks using firewalls and network segmentation

HARDENINGEnsure door controllers are not directly accessible from the internet; block inbound access at your perimeter

HARDENINGIf remote access to door controllers is required, use VPN with current security updates

CVEs (1)

CVE-2024-32754

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/01729f5d-27ec-4c88-86aa-e040371265a3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.