CyberSecurityBoard
Sponsor Register Login

Johnson Controls Metasys and Facility Explorer

RISK EVALUATION. Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service by sending invalid credentials.
Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys and Facility Explorer products to cause denial-of-service.
CVE-2023-4486 has been assigned to this vulnerability.
A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2023-08 v1.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks, recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.
Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.
Gov/ics in the technical information paper, ICS-TIP-12-146-01B-Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.


This Cyber News was published on www.cisa.gov. Publication date: Thu, 07 Dec 2023 17:00:27 +0000


Cyber News related to Johnson Controls Metasys and Facility Explorer

CVE-2020-9044 - XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) ...
4 years ago
Johnson Controls Metasys and Facility Explorer - RISK EVALUATION. Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service by sending invalid credentials. Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of ...
1 year ago Cisa.gov
Cybersecurity Standards vs Procedures vs Controls vs Policies - Four interrelated terms used in cybersecurity are Policies, Procedures, Standards, Guidelines, and Controls. Policies are at the top, Standards and Guidelines add detail to policies, Controls are the measured outcome of standards in use, and ...
1 year ago Securityboulevard.com
How to Set Up Internet Parental Controls - Setting up internet parental controls is a great way to reduce the risk of your child viewing inappropriate content on the web. Parental controls are available on most major internet-enabled devices. Parental controls can prevent and filter a variety ...
1 year ago Pandasecurity.com
An In-Depth Guide to the 11 New ISO 27001 Controls - An effective defense against these threats requires a consistent and comprehensive security posture like the one outlined in the ISO 27001 standard. As daunting as these threats seem, up to 80% can be stopped by adopting security controls. The last ...
1 year ago Securityboulevard.com
capa Explorer Web: A Web-Based Tool for Program Capability Analysis | Google Cloud Blog - For static analysis results, the function capabilities view groups rule matches by function address, allowing reverse engineers to quickly identify functions with key behavior (see Figure 6). The interface offers different views including a table ...
4 months ago Cloud.google.com
CVE-2021-36202 - Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior ...
2 years ago
CVE-2021-27657 - Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys ...
3 years ago
Inmate, Staff Information Stolen in Rhode Island Prison Data Breach - The Donald W. Wyatt Detention Facility in Rhode Island has disclosed a data breach impacting the personal information of roughly 2,000 inmates, staff, and vendors. According to the correctional facility, the incident occurred in November, and ...
1 year ago Securityweek.com
CVE-2023-4486 - Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to version 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and ...
1 year ago Tenable.com
$22 Million Wake-up Call to Improve Security - A former Jacksonville Jaguars staff member is facing the possibility of a 30-year prison sentence after admitting guilt to financial crimes, including embezzling over $22 million from the NFL team. Insufficient Internal Controls: In many cases, a ...
1 year ago Securityboulevard.com
Coming March 2024: How to Prepare for PCI DSS Version 4.0 Compliance - A 2022 Verizon report claims that only 43% of assessed organizations maintained full compliance in 2020. With the March 2024 deadline fast approaching, businesses that process and store card data are racing to implement the 13 new requirements in ...
1 year ago Securityboulevard.com
Hackers breach US water facility via exposed Unitronics PLCs - CISA is warning that threat actors breached a U.S. water facility by hacking into Unitronics programmable logic controllers exposed online. PLCs are crucial control and management devices in industrial settings, and hackers compromising them could ...
1 year ago Bleepingcomputer.com
Lookback Analysis in ERP Audit - This article explores the interdependence between lookback analysis and access governance and how it can transform modern ERP audits. From a Segregation of Duties perspective, Lookback Analysis is a critical tool in ensuring control effectiveness and ...
8 months ago Securityboulevard.com
Ambitious Training Initiative Taps Talents of Blind and Visually Impaired - When David Mayne first started looking for a job in cybersecurity, the recruiter at his first-choice company told him no. Mayne had already overcome tremendous hardship, losing his eye and his leg following a severe car accident, then finding a way ...
9 months ago Darkreading.com
Fortifying iPhone Security: Stolen Device Protection & Essential Tips Amid Rising Theft Concerns - Numerous iPhones, often regarded as some of the best in the market, are pilfered daily on a global scale. Apple aims to address this issue with the upcoming release of iOS 17.3, introducing a feature called Stolen Device Protection. This security ...
1 year ago Cysecurity.news
Sinking Section 702 Wiretap Program Offered One Last Lifeboat - A bill introduced by senators Dick Durbin and Mike Lee to reauthorize the Section 702 surveillance program is the fifth introduced in the US Congress this winter. With or without Congress, the Biden administration is seeking court approval to extend ...
10 months ago Wired.com
Freeman Johnson hit by Akira Ransomware Gang - Actor: akira ...
1 year ago Twitter.com
Axel Johnson hit by 8base Ransomware Gang - Actor: 8base ...
11 months ago Twitter.com
Nozomi Networks Secures $100M Investment to Defend Critical Infrastructure - SAN FRANCISCO, March 13, 2024 - Nozomi Networks Inc. today announced a $100 million Series E funding round to help accelerate innovative cyber defenses and expand cost-efficient go-to-market expansion globally. This latest round includes investments ...
10 months ago Darkreading.com
Cloud Security: Ensuring Data Protection in the Cloud - Data Encryption: Protecting sensitive data is a top priority in cloud security. Cloud security is of utmost importance when it comes to protecting and ensuring the confidentiality of data stored and transmitted in the cloud. Data protection in the ...
11 months ago Securityzap.com
Demystifying cybersecurity terms: Policy, Standard, Procedure, Controls, Framework, Zero Trust - I am often asked what is the difference between Policy, Standard, Procedure in cybersecurity. A cybersecurity standard is a set of guidelines, criteria, or best practices that organizations follow to ensure that their security controls and procedures ...
10 months ago Endpoint-cybersecurity.com
Tool for Setting Up Johnson Controls Systems - Risk evaluation has revealed that System Configuration Tool versions 14 and 15 are vulnerable to a cross-site scripting attack, which could allow an attacker to access cookies and take control of an affected system. CVE-2022-21939 and CVE-2022-21940 ...
1 year ago Us-cert.cisa.gov
Johnson Controls Kantech Door Controllers - EXECUTIVE SUMMARY CVSS v3 3.1 ATTENTION: Exploitable via adjacent network. RISK EVALUATION. Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information. Under certain circumstances, when the ...
7 months ago Cisa.gov
The Evolution of Authorization Controls: Exploring PBAC and Its Benefits - There has been a substantial trend toward improvement of authorization capabilities and controls. Policy Based Access Control provided by advanced authorization and access control system is progressively displacing more basic and traditional ...
1 year ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)