CISA released 7 Industrial Control Systems (ICS) advisories in July, which provide timely information about current security vulnerabilities and exploits.
1> Johnson Controls Kantech Door Controllers
ICSA-24-184-01 Johnson Controls Kantech Door Controllers
EXECUTIVE SUMMARY
- CVSS v3 3.1
- ATTENTION: Exploitable via adjacent network
- Vendor: Johnson Controls, Inc.
- Equipment: Kantech KT1, KT2, KT400 Door Controllers
- Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information.
TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products by Kantech, a subsidiary of Johnson Controls, are affected:
- Kantech KT1 Door Controller, Rev01: Versions 2.09.01 and prior
- Kantech KT2 Door Controller, Rev01: Versions 2.09.01 and prior
- Kantech KT400 Door Controller, Rev01: Versions 3.01.16 and prior
2> mySCADA myPRO
ICSA-24-184-02 mySCADA myPRO
EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: mySCADA
- Equipment: myPRO
- Vulnerability: Use of Hard-coded Password
RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to remotely execute code on the affected device.
TECHNICAL DETAILS
AFFECTED PRODUCTS
The following mySCADA products are affected:
- myPRO: Versions prior to 8.31.0
3> ICONICS and Mitsubishi Electric Products
ICSA-24-184-03 ICONICS and Mitsubishi Electric Products
EXECUTIVE SUMMARY
- CVSS v3 7.0
- ATTENTION: Exploitable remotely
- Vendor: ICONICS, Mitsubishi Electric
- Equipment: ICONICS Product Suite
- Vulnerabilities: Allocation of Resources Without Limits or Throttling, Improper Neutralization, Uncontrolled Search Path Element, Improper Authentication, Unsafe Reflection
RISK EVALUATION
Successful exploitation of these vulnerabilities could result in denial of service, improper privilege management, or potentially remote code execution.
TECHNICAL DETAILS
AFFECTED PRODUCTS
ICONICS reports that the following versions of ICONICS Product Suite are affected:
- ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.2 (CVE-2023-2650, CVE-2023-4807)
- AlarmWorX Multimedia (AlarmWorX64 MMX): All versions prior to 10.97.3 (CVE-2024-1182)
- MobileHMI: All versions prior to 10.97.3 (CVE-2024-1573)
- ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: All versions prior to 10.97.3 (CVE-2024-1574)
4> Johnson Controls Illustra Essentials Gen 4 (Update A)
ICSA-24-179-04 Johnson Controls Illustra Essentials Gen 4 (Update A)
EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Johnson Controls, Inc.
- Equipment: Illustra Essentials Gen 4
- Vulnerability: Improper Input Validation
RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to inject commands.
TECHNICAL DETAILS
AFFECTED PRODUCTS
Johnson Controls reports that the following versions of Illustra Essentials Gen 4 IP camera are affected:
- Illustra Essentials Gen 4: all versions up to Illustra.Ess4.01.02.10.5982
5> Johnson Controls Illustra Essentials Gen 4 (Update A)
- ICSA-24-179-05 Johnson Controls Illustra Essentials Gen 4 (Update A)
EXECUTIVE SUMMARY
- CVSS v3 6.8
- ATTENTION: Exploitable remotely
- Vendor: Johnson Controls, Inc.
- Equipment: Illustra Essentials Gen 4
- Vulnerability: Storing Passwords in a Recoverable Format
RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated user to recover credentials for other Linux users.
TECHNICAL DETAILS
AFFECTED PRODUCTS
Johnson Controls reports that the following versions of Illustra Essential Gen 4, an IP camera, are affected:
- Illustra Essentials Gen 4: versions up to Illustra.Ess4.01.02.10.5982
6> Johnson Controls Illustra Essentials Gen 4 (Update A)
- ICSA-24-179-06 Johnson Controls Illustra Essentials Gen 4 (Update A)
EXECUTIVE SUMMARY
- CVSS v3 6.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Johnson Controls, Inc.
- Equipment: Illustra Essentials Gen 4
- Vulnerability: Insertion of Sensitive Information into Log File
RISK EVALUATION
Successful exploitation of this vulnerability may allow an attacker to gain access to Linux user credentials.
TECHNICAL DETAILS
AFFECTED PRODUCTS
Johnson Controls reports that the following versions of Illustra Essential Gen 4 IP cameras are affected:
- Illustra Essential Gen 4: version Illustra.Ess4.01.02.10.5982 and prior
7> Johnson Controls Illustra Essentials Gen 4 (Update A)
- ICSA-24-179-07 Johnson Controls Illustra Essentials Gen 4 (Update A)
EXECUTIVE SUMMARY
- CVSS v3 6.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Johnson Controls, Inc.
- Equipment: Illustra Essentials Gen 4
- Vulnerability: Storing Passwords in a Recoverable Format
RISK EVALUATION
Successful exploitation of this vulnerability may allow web interface user's credentials to be recovered by an authenticated user.
TECHNICAL DETAILS
AFFECTED PRODUCTS
Johnson Controls reports that the following versions of Illustra Essentials IP cameras are affected:
- Illustra Essential Gen 4: versions Illustra.Ess4.01.02.10.5982 and prior
Comments