CVE-2024-0242 - Vulnerability Details - OpenCVE

Description

Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.

Published: 2024-02-08

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Qolsys, Inc.

IQ Panel 4

unaffected

Version	Status	Constraints
`0`	affected	< 4.4.2

Qolsys, Inc.

IQ4 Hub

unaffected

Version	Status	Constraints
`0`	affected	< 4.4.2

Configuration 1 [-]

AND

cpe:2.3:o:johnsoncontrols:qolsys_iq_panel_4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:qolsys_iq_panel_4:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:johnsoncontrols:qolsys_iq4_hub_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:qolsys_iq4_hub:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Upgrade IQ Panel 4 to version 4.4.2.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-16039	Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

No history.

Subscriptions

Johnsoncontrols Qolsys Iq4 Hub Qolsys Iq4 Hub Firmware Qolsys Iq Panel 4 Qolsys Iq Panel 4 Firmware

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-02-08T19:34:14.895Z

Updated: 2024-08-01T17:41:16.073Z

Reserved: 2024-01-04T19:27:40.165Z

Link: CVE-2024-0242

Vulnrichment

Updated: 2024-08-01T17:41:16.073Z

NVD

Status : Modified

Published: 2024-02-08T20:15:52.407

Modified: 2024-11-21T08:46:08.057

Link: CVE-2024-0242

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0242", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-01-04T19:27:40.165Z", "datePublished": "2024-02-08T19:34:14.895Z", "dateUpdated": "2024-08-01T17:41:16.073Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IQ Panel 4", "vendor": "Qolsys, Inc.", "versions": [{"lessThan": "4.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "IQ4 Hub", "vendor": "Qolsys, Inc.", "versions": [{"lessThan": "4.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Cody Jung"}], "datePublic": "2024-02-08T19:16:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings."}], "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings."}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-02-08T19:34:14.895Z"}, "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade IQ Panel 4 to version 4.4.2.<br>"}], "value": "Upgrade IQ Panel 4 to version 4.4.2.\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade IQ4 Hub to version 4.4.2.<br>"}], "value": "Upgrade IQ4 Hub to version 4.4.2.\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The firmware can be updated remotely to all available devices in the field.<br>"}], "value": "The firmware can be updated remotely to all available devices in the field.\n"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.<br>"}], "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Unauthorized access to settings in Qolsys IQ Panel 4 and IQ4 Hub", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-09T16:33:51.654700Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:20:47.918Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:16.073Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T17:41:16.073Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0242", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-09T16:33:51.654700Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:36.803Z"}}], "cna": {"title": "Unauthorized access to settings in Qolsys IQ Panel 4 and IQ4 Hub", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Cody Jung"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Qolsys, Inc.", "product": "IQ Panel 4", "versions": [{"status": "affected", "version": "0", "lessThan": "4.4.2", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Qolsys, Inc.", "product": "IQ4 Hub", "versions": [{"status": "affected", "version": "0", "lessThan": "4.4.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade IQ Panel 4 to version 4.4.2.\n", "supportingMedia": [{"type": "text/html", "value": "Upgrade IQ Panel 4 to version 4.4.2.<br>", "base64": false}]}, {"lang": "en", "value": "Upgrade IQ4 Hub to version 4.4.2.\n", "supportingMedia": [{"type": "text/html", "value": "Upgrade IQ4 Hub to version 4.4.2.<br>", "base64": false}]}, {"lang": "en", "value": "The firmware can be updated remotely to all available devices in the field.\n", "supportingMedia": [{"type": "text/html", "value": "The firmware can be updated remotely to all available devices in the field.<br>", "base64": false}]}, {"lang": "en", "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.\n", "supportingMedia": [{"type": "text/html", "value": "The firmware update can also be manually loaded by applying the patch tag \u201ciqpanel4.4.2\u201d on the device after navigating to its firmware update page.<br>", "base64": false}]}], "datePublic": "2024-02-08T19:16:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.", "supportingMedia": [{"type": "text/html", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-02-08T19:34:14.895Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0242", "state": "PUBLISHED", "dateUpdated": "2024-08-01T17:41:16.073Z", "dateReserved": "2024-01-04T19:27:40.165Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-02-08T19:34:14.895Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:qolsys_iq_panel_4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1D873CB-3A82-4BEA-AEAB-E815EB0CA24E", "versionEndExcluding": "4.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:qolsys_iq_panel_4:-:*:*:*:*:*:*:*", "matchCriteriaId": "AB88A6F4-3534-4684-8C56-5AC9D1BF7C0E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:qolsys_iq4_hub_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B449AC3F-4ACC-4D9A-A6B2-B4B4682E7335", "versionEndExcluding": "4.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:qolsys_iq4_hub:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F577B88-3EB5-43E3-9F88-C84E81A6D99A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings."}, {"lang": "es", "value": "En determinadas circunstancias, el software del panel IQ Panel4 e IQ4 Hub anterior a la versi\u00f3n 4.4.2 podr\u00eda permitir el acceso no autorizado a la configuraci\u00f3n."}], "id": "CVE-2024-0242", "lastModified": "2024-11-21T08:46:08.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.8, "source": "productsecurity@jci.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-08T20:15:52.407", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}, {"source": "productsecurity@jci.com", "tags": ["Product"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "productsecurity@jci.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}