X Close

Product Security Advisories

Johnson Controls is committed to providing timely communication about known threats and vulnerabilities to our products and works closely with our partners in the U.S. DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to promote widest distribution possible of this important information.

 

Reported Product Advisories 

 

Advisory

Overview

Affected Products

Impact

Mitigation

Previously Posted January 2018

Software House
IP-ACM Door Controller Software Product Security Advisory

Click here for the advisory.

 A September 2018 Forbes article discussed the 2017 findings of Google employee David Tomaschik regarding the Software House IP-ACM v1 vulnerability.

Software House IP-ACM v1

Model Numbers:
• IP-ACM2-MB
• IP-ACM2-EM
• IP-ACM2-EP

As part of a controlled test, a Google employee was able to manipulate access control on doors served by the Software House IP-ACM v1. The second generation of the IP-ACM (IP-ACM v2) hardware and firmware, released February 2018, are not susceptible to this vulnerability.

For customers with first generation hardware, the IP-ACM should be located on an isolated VLAN or physical network.

Metasys® Building Automation System (BAS) Information Disclosure Vulnerability

ICS Cert Notice ICSA-18-212-02

CVE-2018-10624

Please visit the ICS CERT notice linked above for complete information and additional resources.

A previous version of the Metasys BAS could potentially reveal technical information when an authentication error occurs in the BAS server.

Metasys system versions 8.0 and prior.

BCM (now BC Pro) all versions prior to 3.0.2
A malicious attacker could attempt to use this information to extract further information from a system. No known exploits specifically target this potential vulnerability. The impact is significantly reduced when recommended deployment strategies are implemented. Customers should upgrade to the latest product versions. Contact your Johnson Controls Sales or Service representative for details.

Johnson Controls recommends taking steps to minimize risks to all BASs.

Please reference our
Metasys Security page.

The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.
"Meltdown" and "Spectre" Vulnerabilities CERT Vulnerability Note VU#584653

Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud.

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find updates here.

We will continue to monitor the situation and evaluate the impact to our products. Johnson Controls global product teams will be publishing guidance as they complete their assessments.

Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

  • Check this site regularly for updated information.
  • As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.
  • Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.
“KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519

A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk.  The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks.

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products.  Update to follow.

An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted.

Customers can take immediate steps to protect themselves by patching/updating operating systems and network devices as manufacturers make these updates available.

US CERT Alert TA17-132A017-0143
 “Indicators Associated with WannaCry Ransomware” May, 2017

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520 The exploitation of this vulnerability could result in a successful Wannacry Ransomware attack compromising the availability of a Metasys® system. Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products.

ICSA-14-350-02 March 17, 2015

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

The exploitation of these vulnerabilities could allow an unauthenticated remote attacker to compromise the confidentiality, integrity, and availabiliy of a Metasys® system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

ICS Vulnerabilities and Exploits

 

 

CVE-2014-0160 "Heartbleed" April 8, 2014

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

None

We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

CVE-2014-6271 "Shellshock" September 25, 2014

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

None

We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

CVE-2014-3566
US-CERT Alert TA-14290A

Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.
Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys®  Export Utility, Ready Access Portal, and Metasys®  User Interface (UI) Release 1.5, 1.5.1, and 2.0

This vulnerability may allow an attacker who is on the same network as the victim to hijack an encrypted session between a client and a server that supports SSLv3, an older and less secure version of SSL. The attack is classified as a “man-in-the-middle exploit.” 

This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level. 
Disable SSLv3 on the server and standalone computers hosting the affected Metasys software.

 

jQuery("a[href*='.docx'],a[href*='.pdf']").attr("onclick","LogClick(this);")