CVE-2023-4804

An unauthorized user could access debug features in Quantum HD Unity products that were accidentally exposed.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01	Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Vendor Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01	Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_compressor_firmware::::::::
	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_compressor_firmware::::::::

cpe:2.3:h:johnsoncontrols:quantum_hd_unity_compressor:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_acuair_firmware::::::::
	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_acuair_firmware::::::::

cpe:2.3:h:johnsoncontrols:quantum_hd_unity_acuair:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_condenser\/vessel_firmware::::::::
	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_condenser\/vessel_firmware::::::::

cpe:2.3:h:johnsoncontrols:quantum_hd_unity_condenser\/vessel:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_evaporator_firmware::::::::
	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_evaporator_firmware::::::::

cpe:2.3:h:johnsoncontrols:quantum_hd_unity_evaporator:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_engine_room_firmware::::::::
	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_engine_room_firmware::::::::

cpe:2.3:h:johnsoncontrols:quantum_hd_unity_engine_room:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

OR	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_interface_firmware::::::::
	cpe:2.3:o:johnsoncontrols:quantum_hd_unity_interface_firmware::::::::

cpe:2.3:h:johnsoncontrols:quantum_hd_unity_interface:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:36

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 10.0
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 - Third Party Advisory, US Government Resource
References	~~() https://www.johnsoncontrols.com/cyber-solutions/security-advisories - Vendor Advisory~~	() https://www.johnsoncontrols.com/cyber-solutions/security-advisories - Vendor Advisory

16 Nov 2023, 17:45

Type	Values Removed	Values Added
CPE		cpe:2.3:o:johnsoncontrols:quantum_hd_unity_evaporator_firmware:::::::: cpe:2.3:o:johnsoncontrols:quantum_hd_unity_acuair_firmware:::::::: cpe:2.3:h:johnsoncontrols:quantum_hd_unity_interface:-:::::::* cpe:2.3:o:johnsoncontrols:quantum_hd_unity_condenser\/vessel_firmware:::::::: cpe:2.3:h:johnsoncontrols:quantum_hd_unity_compressor:-:::::::* cpe:2.3:o:johnsoncontrols:quantum_hd_unity_engine_room_firmware:::::::: cpe:2.3:h:johnsoncontrols:quantum_hd_unity_engine_room:-:::::::* cpe:2.3:o:johnsoncontrols:quantum_hd_unity_compressor_firmware:::::::: cpe:2.3:h:johnsoncontrols:quantum_hd_unity_acuair:-:::::::* cpe:2.3:o:johnsoncontrols:quantum_hd_unity_interface_firmware:::::::: cpe:2.3:h:johnsoncontrols:quantum_hd_unity_evaporator:-:::::::* cpe:2.3:h:johnsoncontrols:quantum_hd_unity_condenser\/vessel:-:::::::*
References	~~() https://www.johnsoncontrols.com/cyber-solutions/security-advisories -~~	() https://www.johnsoncontrols.com/cyber-solutions/security-advisories - Vendor Advisory
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 - Third Party Advisory, US Government Resource
First Time		Johnsoncontrols quantum Hd Unity Condenser\/vessel Firmware Johnsoncontrols quantum Hd Unity Interface Johnsoncontrols quantum Hd Unity Acuair Firmware Johnsoncontrols quantum Hd Unity Engine Room Johnsoncontrols quantum Hd Unity Evaporator Firmware Johnsoncontrols quantum Hd Unity Condenser\/vessel Johnsoncontrols Johnsoncontrols quantum Hd Unity Compressor Firmware Johnsoncontrols quantum Hd Unity Evaporator Johnsoncontrols quantum Hd Unity Compressor Johnsoncontrols quantum Hd Unity Acuair Johnsoncontrols quantum Hd Unity Interface Firmware Johnsoncontrols quantum Hd Unity Engine Room Firmware
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

Information

Published : 2023-11-10 23:15

Updated : 2024-11-21 08:36

NVD link : CVE-2023-4804

Mitre link : CVE-2023-4804

CVE.ORG link : CVE-2023-4804

JSON object : View

Products Affected

johnsoncontrols

quantum_hd_unity_engine_room
quantum_hd_unity_interface_firmware
quantum_hd_unity_engine_room_firmware
quantum_hd_unity_acuair_firmware
quantum_hd_unity_condenser\/vessel
quantum_hd_unity_evaporator_firmware
quantum_hd_unity_compressor
quantum_hd_unity_interface
quantum_hd_unity_compressor_firmware
quantum_hd_unity_evaporator
quantum_hd_unity_acuair
quantum_hd_unity_condenser\/vessel_firmware

CWE

CWE-489

Active Debug Code

NVD-CWE-Other

{"id": "CVE-2023-4804", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productsecurity@jci.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-11-10T23:15:07.743", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "productsecurity@jci.com"}, {"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["Vendor Advisory"], "source": "productsecurity@jci.com"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productsecurity@jci.com", "description": [{"lang": "en", "value": "CWE-489"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An\u00a0unauthorized user could access debug features in Quantum HD Unity products that were accidentally exposed."}, {"lang": "es", "value": "Un usuario no autorizado podr\u00eda acceder a las funciones de depuraci\u00f3n de los productos Quantum HD Unity que quedaron expuestos accidentalmente."}], "lastModified": "2024-11-21T08:36:00.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_compressor_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1B48F7F-42AA-45AA-8FC7-F93FA3136139", "versionEndExcluding": "11.22", "versionStartIncluding": "11.00"}, {"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_compressor_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2017C20F-3D16-4848-A0EF-42B4B4EBE345", "versionEndExcluding": "12.22", "versionStartIncluding": "12.00"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:quantum_hd_unity_compressor:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "640BFA18-318D-41FA-BBE1-C91234A25A1B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_acuair_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7E3C78C-D372-4CF3-BA1B-3F2DF3EDF364", "versionEndExcluding": "11.12", "versionStartIncluding": "11.00"}, {"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_acuair_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "607F1C13-830D-4B8D-8BCF-42A8AEDB3147", "versionEndExcluding": "12.12", "versionStartIncluding": "12.00"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:quantum_hd_unity_acuair:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2EC4238A-8CE2-4DBE-BAE5-9E687725CCB2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_condenser\\/vessel_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A84D6C4C-55F8-4E99-9BFC-F1C4E554F933", "versionEndExcluding": "11.11", "versionStartIncluding": "11.00"}, {"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_condenser\\/vessel_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E69F5AF9-715A-4AAB-BCB2-5B8AEE775BE6", "versionEndExcluding": "12.11", "versionStartIncluding": "12.00"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:quantum_hd_unity_condenser\\/vessel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1139B733-1714-4111-B53C-4644A736B734"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_evaporator_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CE01D66-6D85-4685-87D7-CA3A8D976412", "versionEndExcluding": "11.11", "versionStartIncluding": "11.00"}, {"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_evaporator_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29520C3D-1083-47BE-9B61-652579E28867", "versionEndExcluding": "12.11", "versionStartIncluding": "12.00"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:quantum_hd_unity_evaporator:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "769190A6-EF60-470F-B308-64DDD4D96C79"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_engine_room_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02F0D946-8D1D-42E2-8C55-2D9098AFC9E2", "versionEndExcluding": "11.11", "versionStartIncluding": "11.00"}, {"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_engine_room_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3AACE2F-4103-40FC-B1A5-79657AC808FE", "versionEndExcluding": "12.11", "versionStartIncluding": "12.00"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:quantum_hd_unity_engine_room:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BC48EFE2-04CD-491E-A127-E4F4370C202D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_interface_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A617CBC-3B72-46EC-B7B6-F51EFC1CD0E2", "versionEndExcluding": "11.11", "versionStartIncluding": "11.00"}, {"criteria": "cpe:2.3:o:johnsoncontrols:quantum_hd_unity_interface_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27A27741-45EE-4F9F-98F2-260804055A19", "versionEndExcluding": "12.11", "versionStartIncluding": "12.00"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:quantum_hd_unity_interface:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3C0E1361-A1D8-43AD-B0C7-9D54049DF6A8"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "productsecurity@jci.com"}

10.0 /10