X Close

Product Security Advisories

Johnson Controls is committed to providing timely communication about known threats and vulnerabilities to our products and works closely with our partners in the U.S. DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to promote widest distribution possible of this important information.

 

Reported Product Advisories 

 

Advisory

Overview

Affected Products

Impact

Mitigation

"Meltdown" and "Spectre" Vulnerabilities CERT Vulnerability Note VU#584653

Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud.

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find updates here.

We will continue to monitor the situation and evaluate the impact to our products. Johnson Controls global product teams will be publishing guidance as they complete their assessments.

Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

  • Check this site regularly for updated information.
  • As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.
  • Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.
“KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519

A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk.  The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks.

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products.  Update to follow.

An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted.

Customers can take immediate steps to protect themselves by patching/updating operating systems and network devices as manufacturers make these updates available.

US CERT Alert TA17-132A017-0143
 “Indicators Associated with WannaCry Ransomware” May, 2017

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520 The exploitation of this vulnerability could result in a successful Wannacry Ransomware attack compromising the availability of a Metasys® system. Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products.

ICSA-14-350-02 March 17, 2015

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

The exploitation of these vulnerabilities could allow an unauthenticated remote attacker to compromise the confidentiality, integrity, and availabiliy of a Metasys® system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

ICS Vulnerabilities and Exploits

 

 

CVE-2014-0160 "Heartbleed" April 8, 2014

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

None

We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

CVE-2014-6271 "Shellshock" September 25, 2014

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

None

We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

CVE-2014-3566
US-CERT Alert TA-14290A

Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.
Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys®  Export Utility, Ready Access Portal, and Metasys®  User Interface (UI) Release 1.5, 1.5.1, and 2.0

This vulnerability may allow an attacker who is on the same network as the victim to hijack an encrypted session between a client and a server that supports SSLv3, an older and less secure version of SSL. The attack is classified as a “man-in-the-middle exploit.” 

This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level. 
Disable SSLv3 on the server and standalone computers hosting the affected Metasys software.

 

jQuery("a[href*='.docx'],a[href*='.pdf']").attr("onclick","LogClick(this);")