Johnson Controls Kantech EntraPass vulnerability

Cybersecurity specialists have reported the finding of a critical vulnerability affecting Johnson Controls’ EntraPass system. According to the report, successful exploitation of this vulnerability could potentially allow an authorized low-privileged threat actor to gain high privileges on the target system.

This software is employed by hundreds of companies around the world, which rely on EntraPass for multiple critical infrastructure systems. Johnson Controls reported this vulnerability to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The following are affected products, according to the company’s announcement:

  • Special Edition: All versions up to v8.22
  • Corporate Edition: All versions up to v8.22
  • Global Edition: All versions up to v8.22

This is an improper access control vulnerability and could allow malicious, low-privileged hackers to gain full privileges at system level with just replacing some critical files using specifically crafted files. The flaw, tracked as CVE-2020-9046, has received an 8.8/10 score according to the Common Vulnerability Scoring System (CVSS) scale, so it is considered as a high severity vulnerability.

The company recommends admins of compromised implementations to upgrade any Edition to v8.3; additional technical details on this flaw and its mitigation process, users can visit official Johnson Controls Security Alert.

On the other hand, CISA recommends users to implement relevant defensive measures to mitigate this flaw’s exploitation risk. To be more precise, CISA says users must:

  • Enable principles of least privileges
  • Perform proper impact analysis and risk assessment prior to deploying defensive measures

Compromised software versions may be actively used in hundreds of industrial environements. If any IT team detects malicious activity traces, the staff must implement and follow their own cybersecurity incident management procedures. Reporting these findings to CISA is a complementary measure to track and link an attack to other similar incidents, which helps cybersecurity agencies improve their tasks against malicious hacking.

Besides implementation of incident management protocols, enterprises should consider cybersecurity awareness for employees as an additional tool to improve information security defense. The following measures could help users to collaborate in cyberdefense:

  • Ignore any unsolicited link or file attached to an email
  • Avoid the use of suspicious websites
  • Notify to their IT area any anomalous behavior

So far, there are no known exploits to release this attack; the vulnerability is not remotely exploitable, so attack scenarios are complex.