CVE-2020-9049 - OpenCVE

A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:A/AC:M/Au:N/C:N/I:N/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Johnsoncontrols	C-cure Web Victor Web

Configuration 1 [-]

OR	cpe:2.3:a:johnsoncontrols:c-cure_web::::::::
	cpe:2.3:a:johnsoncontrols:victor_web::::::::

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01	Patch Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jci

Published: 2020-11-19T00:00:00

Updated: 2020-11-19T15:27:09

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9049

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-19T16:15:11.173

Modified: 2020-12-04T15:18:38.803

Link: CVE-2020-9049

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "victor Web Client version 5.6 and prior", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "5.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "C\u2022CURE Web Client version 2.90 and prior (Note - This does not affect the new web-based C\u2022CURE 9000 client that was introduced in C\u2022CURE 9000 v2.90)", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "2.90", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "datePublic": "2020-11-19T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 : Improper Access Control (Authorization)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-19T15:27:09", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}], "solutions": [{"lang": "en", "value": "victor Web Client\n\n\u2022\tvictor Web Client v5.6 and earlier \u2013 upgrade to v5.6 SP1 (victor Unified Client v5.6 SP1)\n\nRegistered users can obtain the software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx.\n\nC\u2022CURE Web Client\n\nC\u2022CURE Web v2.60 and earlier - upgrade to a minimum of v2.70 and install the relevant update below.\n\n\u2022\tC\u2022CURE Web v2.70 - install the update WebClient_c2.70_5.2_Update02\n\u2022\tC\u2022CURE Web v2.80 - install the update WebClient_c2.80_v5.4.1_Update04\n\u2022\tC\u2022CURE Web v2.90 - install the update CCureWeb_2.90_Update01 \n\nRegistered users can obtain the software update by downloading the update found here: https://swhouse.com/Support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}, "title": "victor Web Client and C\u2022CURE Web Client JSON Web Token (JWT) Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2020-11-19T14:00:00.000Z", "ID": "CVE-2020-9049", "STATE": "PUBLIC", "TITLE": "victor Web Client and C\u2022CURE Web Client JSON Web Token (JWT) Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "victor Web Client version 5.6 and prior", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.6"}]}}, {"product_name": "C\u2022CURE Web Client version 2.90 and prior (Note - This does not affect the new web-based C\u2022CURE 9000 client that was introduced in C\u2022CURE 9000 v2.90)", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.90"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 : Improper Access Control (Authorization)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}]}, "solution": [{"lang": "en", "value": "victor Web Client\n\n\u2022\tvictor Web Client v5.6 and earlier \u2013 upgrade to v5.6 SP1 (victor Unified Client v5.6 SP1)\n\nRegistered users can obtain the software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx.\n\nC\u2022CURE Web Client\n\nC\u2022CURE Web v2.60 and earlier - upgrade to a minimum of v2.70 and install the relevant update below.\n\n\u2022\tC\u2022CURE Web v2.70 - install the update WebClient_c2.70_5.2_Update02\n\u2022\tC\u2022CURE Web v2.80 - install the update WebClient_c2.80_v5.4.1_Update04\n\u2022\tC\u2022CURE Web v2.90 - install the update CCureWeb_2.90_Update01 \n\nRegistered users can obtain the software update by downloading the update found here: https://swhouse.com/Support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2020-9049", "datePublished": "2020-11-19T00:00:00", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2020-11-19T15:27:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:c-cure_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C1E9FAF-B52D-4ABE-8457-7CA79C0C5DBC", "versionEndIncluding": "2.90", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:victor_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "E225100B-FAF2-403E-8443-D055A1BFBD23", "versionEndIncluding": "5.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack."}, {"lang": "es", "value": "Una vulnerabilidad en versiones espec\u00edficas de American Dynamics victor Web Client y Software House C\u2022CURE Web Client, podr\u00eda permitir a un atacante no autenticado en la red crear y firmar su propio JSON Web Token y usarlo para ejecutar un HTTP API Method sin la necesidad de una autorizaci\u00f3n de autenticaci\u00f3n. En determinadas circunstancias, un atacante podr\u00eda usar esto para afectar la disponibilidad del sistema al conducir un ataque de Denegaci\u00f3n de Servicio"}], "id": "CVE-2020-9049", "lastModified": "2020-12-04T15:18:38.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 5.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2020-11-19T16:15:11.173", "references": [{"source": "productsecurity@jci.com", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}