Main Vulnerability Database SB2020061919

SB2020061919 - Improper Verification of Cryptographic Signature in Johnson Controls exacqVision

Published: June 19, 2020

Security Bulletin ID SB2020061919

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-9047)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L/E:P/U:Clear

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected software does not verify the cryptographic signature for data. A remote administrator can download and run a malicious executable.

Remediation

Install update from vendor's website.

References

https://ics-cert.us-cert.gov/advisories/icsa-20-170-01
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2020/jci-psa-2020-7-v1-exacqvision-web-service-and-enterprise-manager.pdf?la=en&hash=704888A69F52AD699D6FA19A96C3B1B3104D3741