Risk evaluation has revealed that System Configuration Tool versions 14 and 15 are vulnerable to a cross-site scripting attack, which could allow an attacker to access cookies and take control of an affected system. CVE-2022-21939 and CVE-2022-21940 have been assigned to this vulnerability, with a CVSS v3 base score of 7.5. Johnson Controls recommends users take the following actions to mitigate the vulnerabilities: minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; locate control system networks and remote devices behind firewalls and isolate them from business networks; and when remote access is required, use secure methods, such as Virtual Private Networks. CISA also recommends organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures, and provides a section for control systems security recommended practices on the ICS webpage. No known public exploits specifically target these vulnerabilities, and they have a high attack complexity. CISA encourages users to provide feedback about this product.
This Cyber News was published on us-cert.cisa.gov. Publication date: Thu, 09 Feb 2023 17:49:02 +0000