CVE-2021-27661 – This vulnerability allows authenticated users o... (How to Fix)

Q: What is the severity of CVE-2021-27661?

CVE-2021-27661 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users of Johnson Controls Facility Explorer SNC Series Supervisory Controllers to gain unintended file system access by sending specially crafted web messages. Attackers could read or modify system files, potentially compromising controller functionality. This affects F4-SNC controllers running vulnerable firmware versions.

📋 TL;DR

This vulnerability allows authenticated users of Johnson Controls Facility Explorer SNC Series Supervisory Controllers to gain unintended file system access by sending specially crafted web messages. Attackers could read or modify system files, potentially compromising controller functionality. This affects F4-SNC controllers running vulnerable firmware versions.

💻 Affected Systems

Products:

Johnson Controls Facility Explorer SNC Series Supervisory Controller (F4-SNC)

Versions: Firmware versions prior to 3.5.0.1142

Operating Systems: Embedded controller OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Requires authenticated access to the web interface.

📦 What is this software?

F4 Snc Firmware by Johnsoncontrols

View all CVEs affecting F4 Snc Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could modify critical system files, disrupt building automation systems, install persistent malware, or gain complete control of the supervisory controller.

🟠

Likely Case

Authenticated users could access sensitive configuration files, modify system settings, or disrupt normal controller operations.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to isolated building automation networks with minimal effect on critical operations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the web interface and knowledge of the specific web message format.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 3.5.0.1142 or later

Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Restart Required: Yes

Instructions:

1. Download firmware version 3.5.0.1142 or later from Johnson Controls support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface. 4. Reboot controller. 5. Verify firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate F4-SNC controllers from untrusted networks and limit access to authorized users only.

Access Control Restrictions

all

Implement strict authentication controls and limit user privileges to minimum necessary.

🧯 If You Can't Patch

Implement strict network segmentation to isolate controllers from untrusted networks
Apply principle of least privilege to user accounts and monitor for suspicious web message activity

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: Login > System > About. If version is below 3.5.0.1142, system is vulnerable.

Check Version:

No CLI command available. Check via web interface at System > About.

Verify Fix Applied:

After patching, verify firmware version shows 3.5.0.1142 or higher in System > About page.

📡 Detection & Monitoring

Log Indicators:

Unusual web message patterns in controller logs
Multiple failed authentication attempts followed by successful login
File system access attempts from web interface

Network Indicators:

Unusual HTTP POST requests to controller web interface
Traffic patterns indicating file system enumeration

SIEM Query:

source="f4-snc-logs" AND (message="*web message*" OR message="*file access*")

📊 Metadata

CVE ID: CVE-2021-27661

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: July 1, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27661, you might also want to check these: