Your one-stop web resource providing safety and security information to manufacturers

Johnson Controls created an upgrade to fix an improper authorization vulnerability in its exacqVision Enterprise System Manager (ESM), according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by @bzyo_, could allow malicious code execution.

WAGO Clears Managed Switch Holes
Siemens Clears SCALANCE X Hole
Siemens has Fix for LOGO!8 Devices
Siemens Workaround for SIMATIC Ident Holes

This vulnerability impacts exacqVision ESM v5.12.2 and prior. All Microsoft Windows operating systems are affected with the exception of Microsoft Windows Server.

In the vulnerability, by default, excessive permissions to directories are granted to authorized, low-privilege system accounts. This could end up leveraged by an attacker to make application file changes or to enable privilege escalation attacks.

Schneider Bold

CVE-2019-7588 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. High skill level is needed to exploit.

Ireland-based Johnson Controls recommends the following:
• Users should upgrade to the latest product, Version 19.03
• Further ICS security notices and product security guidance are located at the Johnson Controls product security website.

For questions concerning this product, click on the Johnson Controls Global Product Security site or send an email.

Pin It on Pinterest

Share This