CVE-2024-0242 - Vulnerability Details - OpenCVE

Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Qolsys, Inc.

IQ Panel 4

unaffected

Version	Status	Constraints
`0`	affected	< 4.4.2

Qolsys, Inc.

IQ4 Hub

unaffected

Version	Status	Constraints
`0`	affected	< 4.4.2

Configuration 1 [-]

AND

cpe:2.3:o:johnsoncontrols:qolsys_iq_panel_4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:qolsys_iq_panel_4:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:johnsoncontrols:qolsys_iq4_hub_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:qolsys_iq4_hub:-:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors	Products
Johnsoncontrols Subscribe	Qolsys Iq4 Hub Subscribe Qolsys Iq4 Hub Firmware Subscribe Qolsys Iq Panel 4 Subscribe Qolsys Iq Panel 4 Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2024-16039	Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.

Fixes

Solution

Upgrade IQ Panel 4 to version 4.4.2.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-02-08T19:34:14.895Z

Updated: 2024-08-01T17:41:16.073Z

Reserved: 2024-01-04T19:27:40.165Z

Link: CVE-2024-0242

Vulnrichment

Updated: 2024-08-01T17:41:16.073Z

NVD

Status : Modified

Published: 2024-02-08T20:15:52.407

Modified: 2024-11-21T08:46:08.057

Link: CVE-2024-0242

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0242", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-01-04T19:27:40.165Z", "datePublished": "2024-02-08T19:34:14.895Z", "dateUpdated": "2024-08-01T17:41:16.073Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IQ Panel 4", "vendor": "Qolsys, Inc.", "versions": [{"lessThan": "4.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "IQ4 Hub", "vendor": "Qolsys, Inc.", "versions": [{"lessThan": "4.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Cody Jung"}], "datePublic": "2024-02-08T19:16:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings."}], "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings."}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-02-08T19:34:14.895Z"}, "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade IQ Panel 4 to version 4.4.2.<br>"}], "value": "Upgrade IQ Panel 4 to version 4.4.2.\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade IQ4 Hub to version 4.4.2.<br>"}], "value": "Upgrade IQ4 Hub to version 4.4.2.\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The firmware can be updated remotely to all available devices in the field.<br>"}], "value": "The firmware can be updated remotely to all available devices in the field.\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.<br>"}], "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Unauthorized access to settings in Qolsys IQ Panel 4 and IQ4 Hub", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-09T16:33:51.654700Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:20:47.918Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:16.073Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:16.073Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-09T16:33:51.654700Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:36.803Z"}}], "cna": {"title": "Unauthorized access to settings in Qolsys IQ Panel 4 and IQ4 Hub", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Cody Jung"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Qolsys, Inc.", "product": "IQ Panel 4", "versions": [{"status": "affected", "version": "0", "lessThan": "4.4.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Qolsys, Inc.", "product": "IQ4 Hub", "versions": [{"status": "affected", "version": "0", "lessThan": "4.4.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade IQ Panel 4 to version 4.4.2.\n", "supportingMedia": [{"type": "text/html", "value": "Upgrade IQ Panel 4 to version 4.4.2.<br>", "base64": false}]}, {"lang": "en", "value": "Upgrade IQ4 Hub to version 4.4.2.\n", "supportingMedia": [{"type": "text/html", "value": "Upgrade IQ4 Hub to version 4.4.2.<br>", "base64": false}]}, {"lang": "en", "value": "The firmware can be updated remotely to all available devices in the field.\n", "supportingMedia": [{"type": "text/html", "value": "The firmware can be updated remotely to all available devices in the field.<br>", "base64": false}]}, {"lang": "en", "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.\n", "supportingMedia": [{"type": "text/html", "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.<br>", "base64": false}]}], "datePublic": "2024-02-08T19:16:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.", "supportingMedia": [{"type": "text/html", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-02-08T19:34:14.895Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0242", "state": "PUBLISHED", "dateUpdated": "2024-08-01T17:41:16.073Z", "dateReserved": "2024-01-04T19:27:40.165Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-02-08T19:34:14.895Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:qolsys_iq_panel_4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1D873CB-3A82-4BEA-AEAB-E815EB0CA24E", "versionEndExcluding": "4.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:qolsys_iq_panel_4:-:*:*:*:*:*:*:*", "matchCriteriaId": "AB88A6F4-3534-4684-8C56-5AC9D1BF7C0E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:qolsys_iq4_hub_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B449AC3F-4ACC-4D9A-A6B2-B4B4682E7335", "versionEndExcluding": "4.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:qolsys_iq4_hub:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F577B88-3EB5-43E3-9F88-C84E81A6D99A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings."}, {"lang": "es", "value": "En determinadas circunstancias, el software del panel IQ Panel4 e IQ4 Hub anterior a la versi\u00f3n 4.4.2 podr\u00eda permitir el acceso no autorizado a la configuraci\u00f3n."}], "id": "CVE-2024-0242", "lastModified": "2024-11-21T08:46:08.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.8, "source": "productsecurity@jci.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-08T20:15:52.407", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}, {"source": "productsecurity@jci.com", "tags": ["Product"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "productsecurity@jci.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}