Johnson Controls Illustra Essentials Gen 4 (Update A)

MonitorCVSS 6.8ICS-CERT ICSA-24-179-07Jun 27, 2024

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Illustra Essentials Gen 4 cameras prior to firmware version Illustra.Ess4.01.02.13.6953 contain a credential recovery vulnerability (CWE-257) that allows an authenticated user with web interface access to recover other users' stored credentials. Successful exploitation could allow an attacker with valid camera login credentials to extract and reuse administrative or engineering account credentials stored on the device, potentially gaining unauthorized access to integrated building automation systems.

What this means

What could happen

An authenticated user with access to the camera's web interface could recover other users' stored credentials, potentially gaining unauthorized access to the camera system and related building automation systems.

Who's at risk

Building automation operators and facilities managers responsible for Johnson Controls Illustra Essentials Gen 4 IP cameras used for physical security monitoring in water utilities, power plants, and other critical infrastructure. This affects security system administration and potentially access to HVAC or process automation systems if credentials are shared across integrated platforms.

How it could be exploited

An attacker with valid credentials to the Illustra camera's web interface can exploit credential recovery to extract and read stored credentials for other users, potentially escalating access to building automation systems that manage physical security or HVAC controls.

Prerequisites

Valid login credentials to the Illustra Essentials Gen 4 camera web interface
Network access to the camera's web management port

Authenticated access required but camera accounts are common targetsLow EPSS score (0.1%) indicates low likelihood of opportunistic exploitationCredential exposure could escalate access to integrated building automation systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Illustra Essential Gen 4: <=Illustra.Ess4.01.02.10.5982≤ Illustra.Ess4.01.02.10.5982No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to camera web interfaces to authorized engineering workstations only using firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Illustra Essentials Gen 4 cameras to firmware version Illustra.Ess4.01.02.13.6953 or later

HARDENINGRotate all credentials for building automation system accounts that may have been stored in the camera interface

Long-term hardening

0/1

HARDENINGDisable remote web access to cameras from the internet; use VPN with multi-factor authentication if remote access is required

CVEs (1)

CVE-2024-32932

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/59f30e10-62b4-4b4d-a9fd-5887a7f27f17

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.