August 15, 2019

Bluetooth “KNOB” attack or BR/EDR Key Negotiation Vulnerability

CVE-2019-9506 
JCI-PSA-2019-08 v1

Security advisories for affected products will be appended to this web page as they are made available.

The PSA IDs for each product specific advisory has common root followed by “.x” where x is the instance number (JCI-PSA-2019-08.x).

Please visit the ICS-CERT advisory linked below for complete information and additional resources.

ICS-CERT-19-199-01

TrueInsight modules used to connect the Simplex® 4007ES, 4010ES, 4100ES, and 4100U Fire Alarm Control Panels

This vulnerability impacts all TrueInsight modules. If properly exploited, this vulnerability could result in unauthorized access to the fire system. Unfortunately, there is no patch available to fix the vulnerability.

Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here. 

July 8, 2019

Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”).

Vulnerable in-support systems include Windows 7 operating system, Windows Server® 2008 R2, and Windows Server 2008 systems.

Out-of-support but affected operating systems include Windows Server 2003 and Windows XP® operating systems.

Microsoft discovered a vulnerability in its Remote Desktop service that is included in most versions of a wide variety of its operating systems. Although this vulnerability is not associated with any specific Johnson Controls application, it does impact the computer environments that can host those applications.

Microsoft has released a product update that patches this security issue.

Please reference the linked advisory below to find mitigation steps: Click Here.

May 22, 2019

ICS-CERT Advisory ICSA-19-163-01

Please visit the ICS-CERT advisory linked above for complete information and additional resources.

ExacqVision (ESM) v5.12.2 and all prior versions of ESM running on a Windows operating system.

This issue does not impact Linux deployments with permissions that are not inherited from the root directory.

On February 15, 2019, Tyco security solutions published a product security advisory for ExacqVision Enterprise System Manager (ESM).

Please reference the linked Tyco advisory below to find mitigation steps: Click Here.

March 28, 2019

CPP-PSA-20180-02 v1

Facility Explorer™ Path Traversal and Improper Authentication Vulnerabilities

ICS CERT Notice ICSA-19-022-01

CVE-2017-16744

CVE-2017-16748

Please visit the ICS CERT notice linked above for complete information and additional resources.

Facility Explorer 6.x (Niagara AX Framework™) systems, prior to 6.6

Facility Explorer 14.x (Niagara 4) systems, prior to 14.4u1

Facility Explorer Software Release 6.6 and 14.4u1 includes several fixes and important vulnerability mitigations for cybersecurity protection.

Johnson Controls recommends taking steps to minimize risks to all building automation systems.

The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

January 11, 2018 

September 4, 2018 

Metasys® Building Automation System (BAS) Information Disclosure Vulnerability

ICS Cert Notice ICSA-18-212-02

CVE-2018-10624

Please visit the ICS CERT notice linked above for complete information and additional resources.

Metasys system versions 8.0 and prior. 

BCM (now BC Pro) all versions prior to 3.0.2

A previous version of the Metasys BAS could potentially reveal technical information when an authentication error occurs in the BAS server.

Johnson Controls recommends taking steps to minimize risks to all BASs.

Please reference our
Metasys Security Page.

The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

March 17, 2015

Pub # GPS-PSA-2018-02

"Meltdown" and "Spectre" Vulnerabilities CERT Vulnerability Note VU#584653

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find Updates Here.

Check this site regularly for updated information.

As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.

Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.

January 10, 2018 

January 26, 2018 

“KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products.  Update to follow.

A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk.  The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks.

An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted.

October 16, 2017

November 16, 2017

US CERT Alert TA17-132A017-0143
 “Indicators Associated with WannaCry Ransomware”

All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products.

May 12, 2017

June 7, 2018

ICSA-14-350-02

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

March 17, 2015

August 27, 2018

US CERT Alert TA17-132A017-0143
 “Indicators Associated with WannaCry Ransomware”

All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

May 12, 2017

June 7, 2018

CVE-2014-0160"Heartbleed"

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

No mitigation required

August 8, 2014

August 25, 2015

CVE-2014-6271"Shellshock"

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

No mitigation required

September 25, 2014

August 25, 2015

CVE-2014-3566
US-CERT Alert TA-14290A

Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys® Export Utility, Ready Access Portal, and Metasys® User Interface (UI) Release 1.5, 1.5.1, and 2.0

Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.

October 17, 2014

September 30,2016