Johnson Controls has mitigations in place to handle a path traversal and improper authentication vulnerabilities in its Facility Explorer, according to a report from NCCIC.
Successful exploitation of these vulnerabilities, which Tridium reported to Johnson Controls, could allow an attacker to read, write, and delete sensitive files to gain administrator privileges in the Facility Explorer system.
Facility Explorer leverages Tridium Niagara technology, which is affected by these vulnerabilities. The following versions of Facility Explorer suffer from the remotely exploitable vulnerabilities:
• Versions 14.x prior to 14.4u1
• Versions 6.x prior to 6.6
In one vulnerability, a path traversal vulnerability exists that an attacker could exploit, in certain circumstances, using valid platform (administrator) credentials to access a file or directory outside of the restricted location.
CVE-2017-16744 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.
In addition, in certain circumstances, an attacker could log into the local Facility Explorer platform using a disabled account name and a blank password, gaining administrator access to the Facility Explorer system.
CVE-2017-16748 is the case number assigned to this vulnerability, which has a . A CVSS v3 base score of 7.4.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. An attacker would need a high skill level to exploit the vulnerabilities.
Johnson Controls mitigated these vulnerabilities in the following versions. Users should upgrade to one of these product versions (FX14.6 recommended):
• Facility Explorer 14.6 (released September 2018)
• Facility Explorer 14.4u1 (released August 2018)
• Facility Explorer 6.6 (released August 2018)