CVE-2020-9049 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-9049?

CVE-2020-9049 has a CVSS score of 7.1 (HIGH). This vulnerability allows unauthenticated attackers to forge JSON Web Tokens and execute unauthorized API methods on American Dynamics victor Web Client and Software House C•CURE Web Client systems. It affects organizations using these physical security access control systems, potentially allowing attackers to bypass authentication and conduct denial-of-service attacks.

📋 TL;DR

This vulnerability allows unauthenticated attackers to forge JSON Web Tokens and execute unauthorized API methods on American Dynamics victor Web Client and Software House C•CURE Web Client systems. It affects organizations using these physical security access control systems, potentially allowing attackers to bypass authentication and conduct denial-of-service attacks.

💻 Affected Systems

Products:

American Dynamics victor Web Client
Software House C•CURE Web Client

Versions: Specific versions as listed in vendor advisories (check Johnson Controls advisory for exact versions)

Operating Systems: Windows-based systems running the web clients

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web client components of physical access control systems. Requires network access to the vulnerable web interface.

📦 What is this software?

C Cure Web by Johnsoncontrols

View all CVEs affecting C Cure Web →

Victor Web by Johnsoncontrols

View all CVEs affecting Victor Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to manipulate access control systems, disable security functions, or conduct sustained denial-of-service attacks that render physical security systems inoperable.

🟠

Likely Case

Unauthorized API access leading to system disruption, data exposure, or manipulation of access control settings without proper authentication.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible if systems are exposed.

🌐 Internet-Facing: HIGH - If web clients are exposed to the internet, attackers can exploit this without authentication from anywhere.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this, but requires network access to the vulnerable systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves JWT manipulation which is well-documented and tools exist for JWT attacks. No public exploit code identified but technique is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Johnson Controls security advisory for specific patched versions

Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Restart Required: Yes

Instructions:

1. Review Johnson Controls security advisory ICSA-20-324-01 2. Identify affected versions 3. Apply vendor-provided patches 4. Restart affected services 5. Verify patch application

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable web clients from untrusted networks and restrict access to authorized IP addresses only

Configure firewall rules to restrict access to web client ports (typically 80/443)

Access Control Lists

all

Implement strict network access controls to limit who can reach the vulnerable web interfaces

Use network ACLs to allow only authorized management stations

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to isolate vulnerable systems
Monitor for unusual JWT activity and unauthorized API calls to the web client interfaces

🔍 How to Verify

Check if Vulnerable:

Check system version against Johnson Controls advisory and verify if JWT authentication can be bypassed

Check Version:

Check web client interface or system documentation for version information

Verify Fix Applied:

Verify patch version is installed and test that JWT authentication properly validates tokens

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful API calls
Unusual JWT generation patterns
API calls from unexpected sources

Network Indicators:

HTTP requests with manipulated JWT tokens to web client APIs
Unauthorized API method executions

SIEM Query:

source="web_client" AND (event="authentication_failure" OR event="api_call") | stats count by src_ip, user, event

📊 Metadata

CVE ID: CVE-2020-9049

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-285

Published: November 19, 2020

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01 Patch,Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01 Patch,Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9049, you might also want to check these: