ICSA-20-070-04

Vulnerability from csaf_cisa - Published: 2020-03-10 00:00 - Updated: 2020-03-10 00:00
Summary
ICSA-20-070-04_Johnson Controls Kantech EntraPass

Notes

CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Summary
Joachim Kerschbaumer reported this vulnerability to Johnson Controls.
Exploitability
No known public exploits specifically target this vulnerability.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Joachim Kerschbaumer"
        ],
        "summary": "reporting this vulnerability to Johnson Controls"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "summary",
        "text": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls.",
        "title": "Summary"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-070-04 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-070-04.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-070-04 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-070-04"
      }
    ],
    "title": "ICSA-20-070-04_Johnson Controls Kantech EntraPass",
    "tracking": {
      "current_release_date": "2020-03-10T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA USCert CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSA-20-070-04",
      "initial_release_date": "2020-03-10T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-03-10T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-20-070-04 Johnson Controls Kantech EntraPass"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 8.10",
                "product": {
                  "name": "EntraPass Global Edition: All versions prior to v8.10",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "EntraPass Global Edition"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 8.10",
                "product": {
                  "name": "EntraPass Corporate Edition: All versions prior to v8.10",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "EntraPass Corporate Edition"
          }
        ],
        "category": "vendor",
        "name": "Kantech, Johnson Controls Inc."
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-7589",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An issue with an API may allow an attacker to upload and execute malicious code with system-level privileges.CVE-2019-7589 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Upgrade to EntraPass Version 8.10",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "For users unable to upgrade, please reference the Johnson Controls Product Security Advisory for temporary workaround instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
        },
        {
          "category": "mitigation",
          "details": "For questions concerning this product, contact Johnson Controls Global Product Security; email: productsecurity@jci.com",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ],
          "url": "https://www.johnsoncontrols.com/cyber-solutions"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2019-7589"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.