Johnson Controls Inc. Software House C●CURE 9000

Plan PatchCVSS 8.8ICS-CERT ICSA-24-191-04Jul 9, 2024

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Johnson Controls Software House C•CURE 9000 versions 2.80 and earlier contain a vulnerability (CWE-1391) that could allow an attacker to gain administrative access to the system. The vulnerability is remotely exploitable without requiring valid credentials, though user interaction may be involved. Successful exploitation could allow an attacker to modify access control policies, disable security features, alter user permissions, or disrupt facility operations controlled through the building automation system. Johnson Controls has released version 2.90 as a patch for this vulnerability.

What this means

What could happen

An attacker could gain administrative access to Software House C•CURE 9000, which could allow them to modify access control policies, disable security features, or disrupt facility operations through the building automation system.

Who's at risk

Building automation and facility management operators using Johnson Controls Software House C•CURE 9000 access control systems in commercial buildings, data centers, campuses, and other facilities with badge readers, door locks, and security cameras integrated into the system.

How it could be exploited

An attacker could exploit this vulnerability remotely by sending a specially crafted request to an unpatched Software House C•CURE 9000 system. The attack requires user interaction (such as clicking a link) but does not require valid credentials to gain administrative access to the system.

Prerequisites

Network access to Software House C•CURE 9000 system over the network
Target system running version 2.80 or earlier
User interaction (e.g., clicking a malicious link) may be required

Remotely exploitableNo authentication required for exploitationLow attack complexityHigh CVSS score (8.8)Affects access control and security systemsNo patch currently available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Software House C●CURE 9000: <=2.80≤ 2.80No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate Software House C•CURE 9000 system from the internet and from business networks using a firewall

HARDENINGRestrict network access to Software House C•CURE 9000 to only authorized administrative workstations and engineering networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Software House C•CURE 9000 to version 2.90 or later

Long-term hardening

0/1

HARDENINGIf remote access to Software House C•CURE 9000 is required, implement VPN access with current patches applied

CVEs (1)

CVE-2024-32759

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/248ec03a-736f-4efc-8ba3-c24bf25e0b9c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.