Johnson Controls Illustra Essentials Gen 4 (Update A)

Act Now9.1ICS-CERT ICSA-24-179-04Jun 27, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Illustra Essentials Gen 4 cameras contain an input validation vulnerability (CWE-20) that allows command injection. The vulnerability requires administrative-level access but could allow an attacker to execute arbitrary commands on the affected camera. This is critical because compromised cameras in building automation systems could be used as a pivot point to attack other infrastructure systems or disable physical security monitoring.

What this means

What could happen

An attacker with administrative credentials could inject commands into the camera system and execute them, potentially allowing manipulation of video feeds, access to building security systems, or disruption of surveillance operations critical to physical security monitoring.

Who's at risk

Building security and surveillance operators using Johnson Controls Illustra Essentials Gen 4 IP cameras should be concerned. These cameras are commonly deployed in municipal facilities, utilities, and critical infrastructure to provide physical security monitoring. If the camera system is networked with building automation or control systems, compromise could extend beyond surveillance to affect facility operations.

How it could be exploited

An attacker with high-privilege access to the camera system (administrative credentials) could send specially crafted input to the Illustra Essentials Gen 4 camera that bypasses input validation. This allows command injection, enabling the attacker to execute arbitrary commands on the camera with administrative privileges, potentially compromising the entire building automation system if the camera is networked with other critical infrastructure.

Prerequisites

Administrative credentials or high-privilege account access to Illustra Essentials Gen 4 camera
Network access to the camera management interface
Knowledge of the command injection entry point

High CVSS score (9.1)Requires administrative credentials (reduces but does not eliminate risk in shared environments)Affects building automation systems which may control physical infrastructureCommand injection allows arbitrary executionInput validation failure (CWE-20)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Illustra Essentials Gen 4: <=Illustra.Ess4.01.02.10.5982≤ Illustra.Ess4.01.02.10.5982Illustra.Ess4.01.02.13.6953

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to camera management interfaces using firewall rules; only allow connections from authorized engineering workstations on isolated networks

HARDENINGReview and enforce strong administrative access controls; disable default or shared administrative accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Illustra Essentials Gen 4 cameras to firmware version Illustra.Ess4.01.02.13.6953 or later

Long-term hardening

0/2

HARDENINGSegment the camera system network from the business network and internet-facing systems

HARDENINGIf remote access to cameras is required, implement VPN with current security patches and multi-factor authentication

CVEs (1)

CVE-2024-32755

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bc1b5dab-9357-4c56-8156-03bf56c634b7