iSTAR Ultra

Vulnerability

The iSTAR Ultra door controller by Sensormatic Electronics (a Johnson Controls subsidiary) is vulnerable to command injection (CWE-77) in all firmware versions prior to 6.8.9.CU01 [2]. An unauthenticated attacker can send a malicious request over the network to inject arbitrary operating system commands.

Exploitation

No authentication, user interaction, or special privileges are required. With low attack complexity, an attacker exploits the improper neutralization of special elements by crafting a request that includes command syntax. The vulnerable code path is reachable over the network without any prior access [2].

Impact

Successful exploitation grants the attacker root-level access to the device, leading to complete compromise of confidentiality, integrity, and availability. The CVSS v3 base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) [2].

Mitigation

Sensormatic Electronics released firmware version 6.8.9.CU01 to remediate the vulnerability [2]. Users should update immediately and follow the detailed instructions in Johnson Controls Product Security Advisory JCI-PSA-2022-13. Additionally, CISA recommends minimizing network exposure and isolating control system devices behind firewalls [2].