CISA issues ICS advisories on hardware vulnerabilities in Qolsys, HID equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published last week industrial control systems (ICS) advisories warning of the presence of hardware vulnerabilities in Qolsys, a subsidiary of Johnson Controls, and HID equipment, deployed across the global critical infrastructure sector. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

In its advisory, CISA disclosed that Qolsys’ IQ Panel 4 and IQ4 Hub equipment contained exposure of sensitive information to an unauthorized actor vulnerability. “Successful exploitation of this vulnerability could allow the panel software, under certain circumstances, to provide unauthorized access to settings,” it added. 

The affected Qolsys products include the IQ Panel 4 versions before 4.4.2, and the IQ4 Hub versions before 4.4.2. “In Qolsys IQ Panel 4 and IQ4 Hub versions prior to 4.4.2, panel software, under certain circumstances, could allow unauthorized access to settings. CVE-2024-0242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated,” it added. 

Cody Jung reported this vulnerability to Johnson Controls, CISA identified.

Johnson Controls has recommended that users of Qolsys hardware help reduce the risk of the vulnerability by upgrading IQ Panel 4, IQ4 Hub to version 4.4.2. The firmware can be updated remotely to all available devices in the field, and firmware updates can also be manually loaded by applying the patch tag ‘iqpanel4.4.2’ on the device after navigating to its firmware update page.

In another ICS advisory, CISA disclosed the presence of improper authorization vulnerability in HID GlobaliCLASS SE and OMNIKEY equipment. “Successful exploitation of this vulnerability could allow an attacker to read data from reader configuration cards and credentials. Reader configuration cards contain credential and device administration keys which could be used to create malicious configuration cards or credentials.”

The affected HID products when configured as an encoder are all versions of iCLASS SE CP1000 encoder, iCLASS SE readers, iCLASS SE reader modules, iCLASS SE processors, OMNIKEY 5427CK readers, OMNIKEY 5127CK readers, OMNIKEY 5023 readers, and OMNIKEY 5027 readers. 

Affecting multiple critical infrastructure sectors, the CISA advisory said that “Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys. CVE-2024-22388 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated.”

HID Global reported this vulnerability to CISA.

HID advises users to protect the reader configuration cards; protect credentials and disable legacy technologies; harden iCLASS SE readers from configuration changes; and harden HID OMNIKEY readers, HID iCLASS SE reader modules, HID iCLASS SE processors from configuration changes. 

The CISA also highlighted in another advisory improper authorization vulnerability in HID Global Reader Configuration Cards equipment. “Successful exploitation of this vulnerability could allow an attacker to read the credential and device administration keys from a configuration card. Those keys could be used to create malicious configuration cards or credentials.”

The HID products affected by this issue include HID iCLASS SE reader configuration cards (all versions) and OMNIKEY Secure Elements reader configuration cards (all versions).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. It also recommends locating control system networks and remote devices behind firewalls and isolating them from business networks.

Additionally, when remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.