Learn about CVE-2022-21940, a high-severity vulnerability in Johnson Controls System Configuration Tool versions 14 and 15 that could allow unauthorized access to sensitive cookies. Find out the impact, technical details, and mitigation steps.
This article provides detailed information about CVE-2022-21940, a vulnerability in Johnson Controls System Configuration Tool (SCT) that could allow unauthorized access to sensitive cookies.
Understanding CVE-2022-21940
This section delves into the impact, technical details, and mitigation strategies related to CVE-2022-21940.
What is CVE-2022-21940?
The vulnerability, known as 'Sensitive Cookie in HTTPS Session Without 'Secure' Attribute,' affects versions 14 and 15 of the Johnson Controls System Configuration Tool (SCT). Exploiting this flaw could allow threat actors to access sensitive cookies.
The Impact of CVE-2022-21940
The vulnerability's impact is rated as HIGH, with a CVSS base score of 7.5. It could lead to unauthorized access to confidential data, compromise data integrity, and disrupt system availability. The exploitation of this vulnerability falls under CAPEC-212 Functionality Misuse.
Technical Details of CVE-2022-21940
This section outlines the specifics of the vulnerability, including the affected systems, exploitation mechanism, and more.
Vulnerability Description
The vulnerability arises from the absence of the 'Secure' attribute in HTTPS session cookies within the SCT versions 14 (prior to 14.2.3) and 15 (prior to 15.0.3).
Affected Systems and Versions
Johnson Controls System Configuration Tool (SCT) versions 14 (prior to 14.2.3) and 15 (prior to 15.0.3) are affected by this vulnerability.
Exploitation Mechanism
Threat actors can exploit this vulnerability by leveraging the absence of the 'Secure' attribute in HTTPS session cookies to gain unauthorized access to sensitive data.
Mitigation and Prevention
This section discusses the steps organizations can take to mitigate the risk posed by CVE-2022-21940.
Immediate Steps to Take
Organizations are advised to update SCT version 14 with patch 14.2.3 and SCT version 15 with patch 15.0.3. It is also recommended to contact local Johnson Controls offices or Authorized Building Control Specialists (ABCS) for assistance.
Long-Term Security Practices
In the long term, organizations should prioritize regular patching and updates, security awareness training for employees, and implementing robust cybersecurity measures to prevent similar vulnerabilities.
Patching and Updates
Regularly apply security patches provided by Johnson Controls for the System Configuration Tool (SCT) to address known vulnerabilities and improve overall system security.