1. EXECUTIVE SUMMARY
- CVSS v3 7.3
- ATTENTION: Low attack complexity
- Vendor: Qolsys, Inc.
- Equipment: IQ Panel 4, IQ4 Hub
- Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow the panel software, under certain circumstances, to provide unauthorized access to settings.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products from Qolsys, Inc, a subsidiary of Johnson Controls, are affected:
- Qolsys IQ Panel 4: Versions prior to 4.4.2
- Qolsys IQ4 Hub: Versions prior to 4.4.2
3.2 Vulnerability Overview
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
In Qolsys IQ Panel 4 and IQ4 Hub versions prior to 4.4.2, panel software, under certain circumstances, could allow unauthorized access to settings.
CVE-2024-0242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Ireland
3.4 RESEARCHER
Cody Jung reported this vulnerability to Johnson Controls, Inc.
4. MITIGATIONS
Johnson Controls has provided the following recommendations for its subsidiary company, Qolsys, Inc, to help reduce the risk of the vulnerability:
- Upgrade IQ Panel 4, IQ4 Hub to version 4.4.2.
- The firmware can be updated remotely to all available devices in the field.
- The f
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: