(I)IoT Security News
ICS, Industrial IoT (IIoT), IoT Security, News

Johnson Controls System Configuration Tool (SCT)

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access cookies and take over the user’s session. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of System Configuration Tool (SCT) are affected: 

3.2 VULNERABILITY OVERVIEW

3.2.1 SENSITIVE COOKIE WITHOUT ‘HTTPONLY’ FLAG CWE-1004 

System Configuration Tool (SCT) versions 14 and 15 are vulnerable during a cross-site scripting attack. This could allow an attacker to access cookies and take control of an affected system. 

CVE-2022-21939 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 SENSITIVE COOKIE IN HTTPS SESSION WITHOUT ‘SECURE’ ATTRIBUTE CWE-614 

System Configuration Tool (SCT) versions 14 and 15 are vulnerable during a cross-site scripting attack. This could allow an attacker to access cookies and take control of an affected system. 

CVE-2022-21940 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

3.4 RESEARCHER

Johnson Controls, Inc. reported these vulnerabilities to CISA. 

4. MITIGATIONS

Johnson Controls recommends users take the following actions to mitigate the vulnerabilities. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03

Related posts

Siemens TIM 1531 IRC Modules

(I) IoT
6 years ago

Hitachi Energy Modular Switchgear Monitoring (MSM)

IoT
2 years ago

Siemens Siveillance VMS

(I) IoT
5 years ago
Exit mobile version