CVE-2019-7589 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2019-7589?

CVE-2019-7589 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to upload malicious code to Johnson Controls' Kantech EntraPass systems via the SmartService API. The uploaded code executes with system-level privileges, potentially giving attackers full control. Affects Kantech EntraPass Corporate Edition and Global Edition versions 8.0 and earlier.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload malicious code to Johnson Controls' Kantech EntraPass systems via the SmartService API. The uploaded code executes with system-level privileges, potentially giving attackers full control. Affects Kantech EntraPass Corporate Edition and Global Edition versions 8.0 and earlier.

💻 Affected Systems

Products:

Kantech EntraPass Corporate Edition
Kantech EntraPass Global Edition

Versions: 8.0 and prior versions

Operating Systems: Windows (typically Windows Server)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with SmartService API Service enabled. This is typically enabled by default in standard installations.

📦 What is this software?

Entrapass by Johnsoncontrols

View all CVEs affecting Entrapass →

Entrapass by Johnsoncontrols

View all CVEs affecting Entrapass →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code with SYSTEM privileges, potentially leading to data theft, system destruction, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to installation of backdoors, credential theft, or ransomware deployment on affected access control systems.

🟢

If Mitigated

Limited impact if systems are isolated from internet and have strict network segmentation, though local network attackers could still exploit.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-exposed systems immediate targets.

🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this without credentials to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit - attackers simply need to send crafted requests to the SmartService API endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 8.1 or later

Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Restart Required: Yes

Instructions:

1. Download the latest version (8.1+) from Johnson Controls support portal. 2. Backup current configuration and database. 3. Run the installer to upgrade. 4. Restart the EntraPass service or reboot the server. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable SmartService API

windows

Temporarily disable the vulnerable SmartService API service if immediate patching isn't possible

sc stop "Kantech SmartService API"
sc config "Kantech SmartService API" start= disabled

Network Segmentation

all

Restrict network access to the EntraPass server to only necessary management systems

🧯 If You Can't Patch

Isolate affected systems from internet and implement strict network segmentation
Implement application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check the EntraPass version in the application interface or via Windows Programs and Features. If version is 8.0 or earlier, the system is vulnerable.

Check Version:

wmic product where "name like 'Kantech%'" get version

Verify Fix Applied:

Verify version is 8.1 or later in the application interface and confirm SmartService API is properly secured.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to SmartService API directories
Unexpected process execution with SYSTEM privileges
Failed authentication attempts to SmartService API

Network Indicators:

Unusual traffic to SmartService API port (typically 443 or custom port)
POST requests to /SmartService/Upload endpoint from unauthorized IPs

SIEM Query:

source="windows" AND (process_name="cmd.exe" OR process_name="powershell.exe") AND parent_process="Kantech SmartService API"

📊 Metadata

CVE ID: CVE-2019-7589

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: March 10, 2020

Last Updated: November 21, 2024

🔗 References

https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-04 Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-7589, you might also want to check these: