CyberSecurityBoard
Sponsor Register Login

Johnson Controls Kantech Door Controllers

EXECUTIVE SUMMARY CVSS v3 3.1 ATTENTION: Exploitable via adjacent network.
RISK EVALUATION. Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information.
Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version.
Once configured, the controller will no longer broadcast this information.
CVE-2024-32754 has been assigned to this vulnerability.
A CVSS v3.1 base score of 3.1 has been calculated; the CVSS vector string is.
For more detailed mitigation instructions, see Johnson Controls Product Security Advisory JCI-PSA-2024-13 v1.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks, recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.
Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.
Gov/ics in the technical information paper, ICS-TIP-12-146-01B-Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.


This Cyber News was published on www.cisa.gov. Publication date: Tue, 02 Jul 2024 14:00:15 +0000


Cyber News related to Johnson Controls Kantech Door Controllers

How to Set Up Internet Parental Controls - Setting up internet parental controls is a great way to reduce the risk of your child viewing inappropriate content on the web. Parental controls are available on most major internet-enabled devices. Parental controls can prevent and filter a variety ...
1 year ago Pandasecurity.com
Cybersecurity Standards vs Procedures vs Controls vs Policies - Four interrelated terms used in cybersecurity are Policies, Procedures, Standards, Guidelines, and Controls. Policies are at the top, Standards and Guidelines add detail to policies, Controls are the measured outcome of standards in use, and ...
1 year ago Securityboulevard.com
An In-Depth Guide to the 11 New ISO 27001 Controls - An effective defense against these threats requires a consistent and comprehensive security posture like the one outlined in the ISO 27001 standard. As daunting as these threats seem, up to 80% can be stopped by adopting security controls. The last ...
1 year ago Securityboulevard.com
Johnson Controls Kantech Door Controllers - EXECUTIVE SUMMARY CVSS v3 3.1 ATTENTION: Exploitable via adjacent network. RISK EVALUATION. Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information. Under certain circumstances, when the ...
7 months ago Cisa.gov
CVE-2019-7589 - A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' ...
4 years ago
Closed Door Security Becomes Scotland's First Chartered Cyber Security Business - Closed Door Security, a leading provider of attack-driven cyber security assessments, today announced its CEO and founder, William Wright, has just been awarded with a Chartership in Cyber Security, turning the company into Scotland's most highly ...
1 year ago Itsecurityguru.org
Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking - A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched. Cyber offensive researcher Rustam Amin ...
2 years ago Securityweek.com
CVE-2017-6086 - Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST ...
7 years ago
Johnson Controls Metasys and Facility Explorer - RISK EVALUATION. Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service by sending invalid credentials. Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of ...
1 year ago Cisa.gov
CVE-2018-8770 - Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via generate.php, controllers/getConfigTest.php, controllers/getUpdateTest.php, controllers/postclientdataTest.php, controllers/posterrorTest.php, controllers/posteventTest.php, ...
2 years ago
$22 Million Wake-up Call to Improve Security - A former Jacksonville Jaguars staff member is facing the possibility of a 30-year prison sentence after admitting guilt to financial crimes, including embezzling over $22 million from the NFL team. Insufficient Internal Controls: In many cases, a ...
1 year ago Securityboulevard.com
Coming March 2024: How to Prepare for PCI DSS Version 4.0 Compliance - A 2022 Verizon report claims that only 43% of assessed organizations maintained full compliance in 2020. With the March 2024 deadline fast approaching, businesses that process and store card data are racing to implement the 13 new requirements in ...
1 year ago Securityboulevard.com
CVE-2019-10955 - In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100 Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers v30.014 ...
4 years ago
CVE-2022-48324 - Multiple Cross Site Scripting (XSS) vulnerabilities in Mapos 4.39.0 allow attackers to execute arbitrary code. Affects the following parameters: (1) pesquisa, (2) data, (3) data2, (4) nome, (5) descricao, (6) idDocumentos, (7) id in file ...
1 year ago
Lookback Analysis in ERP Audit - This article explores the interdependence between lookback analysis and access governance and how it can transform modern ERP audits. From a Segregation of Duties perspective, Lookback Analysis is a critical tool in ensuring control effectiveness and ...
8 months ago Securityboulevard.com
Freeman Johnson hit by Akira Ransomware Gang - Actor: akira ...
1 year ago Twitter.com
Axel Johnson hit by 8base Ransomware Gang - Actor: 8base ...
11 months ago Twitter.com
Fortifying iPhone Security: Stolen Device Protection & Essential Tips Amid Rising Theft Concerns - Numerous iPhones, often regarded as some of the best in the market, are pilfered daily on a global scale. Apple aims to address this issue with the upcoming release of iOS 17.3, introducing a feature called Stolen Device Protection. This security ...
1 year ago Cysecurity.news
Sinking Section 702 Wiretap Program Offered One Last Lifeboat - A bill introduced by senators Dick Durbin and Mike Lee to reauthorize the Section 702 surveillance program is the fifth introduced in the US Congress this winter. With or without Congress, the Biden administration is seeking court approval to extend ...
10 months ago Wired.com
Ambitious Training Initiative Taps Talents of Blind and Visually Impaired - When David Mayne first started looking for a job in cybersecurity, the recruiter at his first-choice company told him no. Mayne had already overcome tremendous hardship, losing his eye and his leg following a severe car accident, then finding a way ...
9 months ago Darkreading.com
CVE-2021-27663 - A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; ...
2 years ago
CVE-2021-36202 - Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior ...
2 years ago
Tool for Setting Up Johnson Controls Systems - Risk evaluation has revealed that System Configuration Tool versions 14 and 15 are vulnerable to a cross-site scripting attack, which could allow an attacker to access cookies and take control of an affected system. CVE-2022-21939 and CVE-2022-21940 ...
1 year ago Us-cert.cisa.gov
Johnson Controls Ransomware Cleanup Costs Top $27M and Counting - Johnson Controls International spent $27 million remediating a September 2023 ransomware attack on its systems - an attack that government officials warned at the time could threaten physical security. According to a filing with the US Securities & ...
1 year ago Darkreading.com
The Week in Ransomware - Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks. While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)