(I)IoT Security News
Critical vulnerabiliities, Cyber Security, ICS

Johnson Controls Metasys and Facility Explorer

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service by sending invalid credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls Metasys and Facility Explorer are affected:

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys and Facility Explorer products to cause denial-of-service.

CVE-2023-4486 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

3.4 RESEARCHER

Johnson Controls reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends users update the products to the latest versions:

For more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2023-08 v2.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03

Related posts

Rockwell Automation 1734-AENTR Series B and Series C

(I) IoT
4 years ago

Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC (Update A)

(I) IoT
5 years ago

Siemens Linux-based Products (Update J)

IoT
2 years ago
Exit mobile version