Friday, July 19, 2019

1 Advisory Published – 07-18-19

Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Johnson Controls.

The advisory describes an unquoted search path or element vulnerability in the Johnson Controls exacqVision Server. The vulnerability was reported by Gjoko Kristic of Applied Risk. Johnson Controls has a new version that mitigates the vulnerability. There are no indications that Kristic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an unauthenticated user to elevate their privileges.

No comments:

/* Use this with templates/template-twocol.html */