Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Johnson Controls CK721-A and P2000 remote command execution vulnerability
Informations
Name VU#977312 First vendor Publication 2012-07-13
Vendor VU-CERT Last vendor Modification 2012-07-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#977312

Johnson Controls CK721-A and P2000 remote command execution vulnerability

Original Release date: 13 Jul 2012 | Last revised: 13 Jul 2012

Overview

Johnson Controls CK721-A and P2000 products contain a remote command execution vulnerability which may allow an unauthenticated remote attacker to perform various tasks against the devices.

Description

The "download" port (tcp/41014) on the CK721-A device is vulnerable to remote command execution. An unauthenticated attacker can send specially crafted packets to the port to instruct it to perform various tasks like unlocking a door, adding badges, or changing the configuration which could grant physical access to a secured area to the attacker without requiring valid credentials to the product.

The "upload" port (tcp/41013) P2000 (Pegasys) servers which is used for logging and alerting purposes is vulnerable to false alerts injections. The server accepts any messages sent to it with the only verification being the source IP address. An attacker can send specially crafted packets to the port that provides false access data to the server.

Impact

An unauthenticated attacker with network access to the CK721-A device can instruct it to perform various tasks like unlocking a door, adding badges, or changing the configuration which could grant physical access to a secured area. An unauthenticated attacker with network access to the P2000 (Pegasys) servers device can instruct it to log false alerts causing legitimate alerts to be harder to spot.

Solution

Update

The vendor has stated the following:

Vulnerability VU#977212 is addressed through the deployment of strong encryption, such as AES, for all IP based, bi-directional communications, on all ports, between CK-721 type controllers and the P2000 Security host server. The encryption methodology used by Johnson Controls Inc. supports the FIPS 140-2 standard, with reference validation certificates No. 1051 for controllers and No. 1336 for the server.

The process to implement encryption has four steps as follows:

Step 1 Upgrade of the P2000 server security application software, to version P2000 V 3.11, P2K-SW-CORE 311. P/N 27-5618-3. Service Pack 3
Step 2 Upgrade of the hardware module, of the CK-721 controller, to version CK-721A. P/N 27-5379-1044
Step 3 Upgrade of the controller firmware, to current version. SSM4388_03.1.0.17_BB
Step 4 Activation of encryption, as per the standard documentation. P/N 24-10618-147 Rev. A

The use of encryption is considered a security industry best practice, and is recommended at all times.

Additional information and support can be obtained by contacting JCI Customer Service, at 800-229-4076

Restrict Access

Implement appropriate firewall rules to block traffic from untrusted sources to TCP port 41013 and TCP port 41014.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Johnson ControlsAffected-07 Jun 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal4.9E:POC/RL:W/RC:UC
Environmental4.8CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

  • None

Credit

Thanks to Travis Lee for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2012-2607
  • Date Public:13 Jul 2012
  • Date First Published:13 Jul 2012
  • Date Last Updated:13 Jul 2012
  • Document Revision:19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.


This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/977312

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
50 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Hardware 1
Hardware 1
Os 2