Johnson Controls iSTAR Products Improper Certificate Expiration Validation Vulnerability

A vulnerability exists in Johnson Controls iSTAR eX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra, and iSTAR Ultra SE products, all versions prior to TLS 1.2. The issue arises from improper validation of certificate expiration, which can lead to communication failures with the C•CURE Server once the certificate expires.

Impact

Exploitation of this vulnerability can cause the product to stop communicating with the C•CURE Server after the certificate expires, disrupting normal operations.

Remediation

Johnson Controls recommends using host-based certificates with TLS 1.2, which requires downloading a new certificate to all iSTAR panels simultaneously. For iSTAR Ultra and Ultra SE panels, an upgrade to the new G2 hardware is recommended. Users can consult Johnson Controls' technical support and documentation for guidance on implementing these solutions.