X Close
Product Security Advisory
Meltdown and Spectre Vulnerabilities

Pub # GPS-PSA-2018-02
Initial Publication Date: 1/10/18
Date (Rev.) 1/26/18
Version # 2.0

CVEs: CVE-2017-5753 and CVE-2017-5715 (“Spectre”) and CVE-2017-5754 (“Meltdown”)

Johnson Controls is actively investigating the impact of these vulnerabilities in our products and offerings along with the impact of the associated patches from OEM processor and operating system (OS) vendors. More information will be posted here and available through normal support channels once it becomes available.

Background
Researchers recently disclosed two security vulnerabilities that impact aspects of many modern processors that could allow the disclosure of sensitive data. These vulnerabilities, known as “Meltdown” and “Spectre,” create the potential for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, embedded devices, and cloud computing environments.

They are not related to any vulnerabilities identified in Johnson Controls developed software/firmware, but rather in the embedded software/firmware that enables optimized execution in some Intel®, AMD™, and Arm® brand processors.

Status Update
Johnson Controls Global Product Security Incident Response Team (PSIRT) continues to work with the Building Technologies and Solutions Global Products (“Global Products”) teams to assess the potential impact of the Meltdown and Spectre vulnerabilities. As the processor and operating system OEM responses continue to evolve, we will continue to monitor the situation and evaluate the impact of these responses to our products.

Some of these OEM updates have been reported to have negative impacts on system performance and in some instances have been rescinded all together; therefore, Johnson Controls continues to recommend thorough testing of any update on customer-maintained equipment prior to deploying mitigations for these vulnerabilities. Johnson Controls also conducts extensive testing of OS and processor updates before implementing them (or recommending them for implementation) on our embedded systems.

A number of cloud-enabled solutions offered by Johnson Controls Global Products are hosted on third-party cloud environments that may be impacted by the Meltdown and Spectre vulnerabilities independent of the solutions running on those cloud environments. Johnson Controls Global Products is working with its cloud providers to assess the risk of these vulnerabilities on those cloud environments and has confirmed that its cloud providers have mitigated or have developed plans to mitigate the risk of these vulnerabilities to their cloud environments. At this time, no customer action is recommended with respect to Johnson Controls Global Products cloud-enabled solutions.

Although these are important security issues, we believe that the actual risk of exploitation of the Meltdown and Spectre vulnerabilities in Johnson Controls products remains relatively low due to other controls in place in many of our systems as well as the secure environments maintained by our customers.

We urge vigilance on our customers’ part to ensure that they continue to maintain a defense in depth strategy.

Note: This document does not include information regarding Johnson Controls’ Security Products offerings. Please refer to the Tyco Cyber Protection Program for information regarding these products.

Initial Product Assessment and Actions – Embedded Products
Based on what is currently known about the Meltdown and Spectre CVEs referenced above, we have identified the following embedded products and appliances that are potentially affected, although we believe that the risk to these products and appliances is low due to the high degree of difficulty to exploit the vulnerabilities at this time. This is due in large part to the limited capability for an attacker/malware to execute non Johnson Controls code on the devices, assuming that the devices are being used as intended and documented and that the products have been deployed per Johnson Controls documented best practices.

While research is ongoing into the extent of the impact of the Meltdown and Spectre vulnerabilities on the products and solutions of Johnson Controls Global Products, the following embedded products have been identified as being potentially impacted by these vulnerabilities:

  • Metasys® MS-NxE55xx Engines
  • Mobile Access Portal Gateway
  • Metasys Wireless Network Coordinator (WNCxxx)
  • VRF Smart Gateway
  • Verasys™ Smart Building Hub
  • SimplexTrueSite Server
  • Simplex 4007 Series Fire Alarm Control Panel

For the above products, customers should leverage their usual sales and support channel to get specific details regarding if and when patches or updates may become available.

Initial Product Assessment and Actions – Applications
Some of the products and solutions offered by Johnson Controls Global Products are installed and run primarily on third-party hardware and operating systems that may be impacted by the Meltdown and Spectre vulnerabilities independent of the Johnson Controls products running on those systems. We have identified the following software products to be potentially impacted due to the possibility that they may be running on third-party systems that use processors that have been identified by their manufacturers as being impacted by the Meltdown and Spectre vulnerabilities. Johnson Controls is actively testing these applications along with the OEM patches as they become available in order to assess the potential performance and/or functionality impact on these applications; however, individual results on your systems may vary from our test results due to site specific configuration and hardware choices. For potentially impacted systems, customers should patch their environments when stable operating system and processor patches are available from the relevant manufacturers. We recommend that full system backups and thorough testing be performed prior to deploying to production or critical control environments. 

While research is ongoing into the extent of the impact of the Meltdown and Spectre vulnerabilities on the products and solutions of Johnson Controls Global Products, the following software applications have been identified as being potentially impacted by these vulnerabilities depending on the systems on which they are deployed:

  • Metasys ADS/ADX/ODS, NxE8500 Applications
  • Metasys Software Configuration Tool (SCT) and Controller Configuration Tool (CCT)
  • SimplexTrueSite Workstation Client
  • Simplex Nurse Call Server

In addition to these specific products any laptop, PC, server, or mobile devices that are used to access a Johnson Controls system via browser or installed application are potentially affected by these vulnerabilities. For these devices, you should follow this same guidance of backing up and testing prior to broad deployment of processor or operating system manufacturer’s patches.

Other Customer Actions
Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

  • Check this site regularly for updated information.
  • As always, prior to deploying software patches or updates, test on non-production systems. Follow all vendor instructions and warnings to ensure patches do not impair system functionality.
  • Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.
  • Maintain software support or preventative service agreements to ensure your applicable building system is kept up-to-date with routine patching and other maintenance.
  • Stay current on building systems software as Johnson Controls continually strives to improve the cybersecurity of our product offerings and stay current with the evolving threat landscape.

The Department of Homeland Security’s ICS-CERT provides guidance on control systems security recommended practices on this web page. Several recommended practices are available for reading and download including “Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.”

For More information and Assistance
Contact your Johnson Controls account executive and leverage established sales/service channels for your Johnson Controls product. Customers of Johnson Controls/Tyco Security Products (access control, video surveillance, and intrusion detection) should monitor this page, and the Tyco Cyber Protection Program. If you have more questions or need additional support, email the Johnson Controls PSIRT at productsecurity@jci.com.

References

This bulletin is current as of the date of its release. Johnson Controls Global Products continues to investigate the impact of the Spectre and Meltdown vulnerabilities on its products and solutions and will provide further updates as appropriate. If you have questions regarding the potential impact of these vulnerabilities on a specific Johnson Controls product or solution, please contact your Johnson Controls sales or service representative.

Meltdown and Spectre Vulnerabilities

Pub # GPS-PSA-2018-01
Initial Publication Date: 1/10/18
Date (Rev.) N/A
Version # 1.0

CVEs: CVE-2017-5753 and CVE-2017-5715 (“Spectre”) and CVE-2017-5754 (“Meltdown”)

Summary
Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities, known as “Meltdown” and “Spectre,” allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud. They are not related to any vulnerabilities identified in Johnson Controls code but rather in the software that controls some Intel, AMD, and ARM brand processors.

The Johnson Controls Product Security Incident Response Team (PSIRT) is working with our global product teams to assess the potential impact of the Meltdown and Spectre vulnerabilities. We will publish more information on this site and through product support channels as it becomes available. This is an evolving situation so please check back regularly for updates and further information.

Third-party vendors continue to work on their evolving mitigations for these vulnerabilities. We will continue to monitor the situation and evaluate the impact to our products. Johnson Controls global product teams will be publishing guidance as they complete their assessments.

Please note the following:

  • Following secure IT deployment and maintenance practices should significantly reduce the risk and impact of this vulnerability being successfully leveraged by an attacker.
  • To execute code locally, an attacker would require a valid account or independent compromise of the target.
  • These exploits, while affecting confidentiality, do not have the potential to corrupt, modify, or delete data.
  • At the time of publishing this notice, we are not aware of attacks that have successfully leveraged these vulnerabilities.

Customer Actions

Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

  • Check this site regularly for updated information.
  • As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.
  • Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.

The Department of Homeland Security’s ICS-CERT provides guidance on control systems security recommended practices on their web page. Several recommended practices are available for reading and download including “Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies”.

For More information and Assistance
Contact your Johnson Controls account executive and leverage established sales/service channels for your Johnson Controls product. Customers of Johnson Controls/Tyco security products (access control, video surveillance, and intrusion detection) should monitor this page and the Tyco Cyber Protection Program. If you have more questions or need additional support, email the Johnson Controls PSIRT at productsecurity@jci.com.

References