Johnson Controls Software House C●CURE 9000

MonitorCVSS 7.7ICS-CERT ICSA-24-135-03May 14, 2024

Johnson Controls

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

Sensitive credentials used for access to the C•CURE 9000 building automation and access control system are stored in plaintext in the api.log log file. An attacker with local access to the C•CURE 9000 application server or engineering workstation can read this log file to extract valid Windows account credentials, potentially gaining unauthorized access to modify security policies, door lock assignments, alarm thresholds, or other critical building automation functions. The vulnerability affects version 3.00.2 and earlier.

What this means

What could happen

An attacker with local access to a Software House C•CURE 9000 workstation could extract stored credentials from log files, potentially gaining unauthorized access to the building automation system and allowing modifications to security settings or operations.

Who's at risk

Building automation and access control system operators using Johnson Controls Software House C•CURE 9000, including security managers and IT staff at facilities managing doors, locks, alarms, and integrated building systems. This affects any organization running C•CURE 9000 version 3.00.2 or earlier on Windows servers.

How it could be exploited

An attacker must gain local access to the C•CURE 9000 application server or workstation, then access the api.log file at C:\Program Files (x86)\Tyco\victorWebServices\victorWebsite\Logs, where plaintext credentials may be logged. The attacker can read the log file directly or copy it for offline credential extraction.

Prerequisites

Local access to the C•CURE 9000 server or workstation
File system read permissions to the victorWebServices Logs directory
Ability to access or exfiltrate the api.log file

Credentials exposed in plaintext logsLocal access required but workstations often have multiple usersHigh-privilege accounts potentially compromisedNo patch available for version 3.00.2 base release without update to CU02 or 3.00.3

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Software House C●CURE 9000: v3.00.2v3.00.2No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDChange passwords for all Windows accounts used by C•CURE 9000 application immediately after patching

WORKAROUNDDelete or sanitize the api.log file at C:\Program Files (x86)\Tyco\victorWebServices\victorWebsite\Logs to remove plaintext credentials

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Software House C•CURE 9000 to version 3.00.2 CU02 or later

HARDENINGRestrict local file system access to the victorWebServices directory to authorized personnel only

Long-term hardening

0/1

HARDENINGImplement centralized log management to prevent sensitive credential storage in application logs

CVEs (1)

CVE-2024-0912

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/15034b51-ab34-4fcd-bfeb-5c0c3911e38f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.