Johnson Controls iSTAR Ultra Firmware Verification Vulnerability Allowing Undetected Malicious Code

A vulnerability exists in Johnson Controls iSTAR Ultra access control products, including the iSTAR Ultra, iSTAR Ultra SE, and iSTAR Ultra G2 models, all firmwares prior to 6.9.2. The issue arises because the firmware verification process at boot does not thoroughly inspect all parts of the firmware, potentially allowing malicious code to be introduced. This vulnerability is particularly concerning as it can be exploited in conjunction with other vulnerabilities to modify the firmware without detection, bypassing the integrity checks that are supposed to ensure the firmware's authenticity.

Impact

Exploitation of this vulnerability could lead to the introduction of undetected malicious code into the firmware, with the potential for further exploitation by chaining with other vulnerabilities that allow firmware modification.