OTPulse
FeedAboutContact

Johnson Controls Inc. Software House C●CURE 9000

Plan Patch8.8ICS-CERT ICSA-24-191-04Jul 9, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Johnson Controls Software House C•CURE 9000 versions 2.80 and earlier contain a vulnerability (CWE-1391) that could allow an attacker to gain administrative access to the system. The vulnerability is remotely exploitable without requiring valid credentials, though user interaction may be involved. Successful exploitation could allow an attacker to modify access control policies, disable security features, alter user permissions, or disrupt facility operations controlled through the building automation system. Johnson Controls has released version 2.90 as a patch for this vulnerability.

What this means
What could happen
An attacker could gain administrative access to Software House C•CURE 9000, which could allow them to modify access control policies, disable security features, or disrupt facility operations through the building automation system.
Who's at risk
Building automation and facility management operators using Johnson Controls Software House C•CURE 9000 access control systems in commercial buildings, data centers, campuses, and other facilities with badge readers, door locks, and security cameras integrated into the system.
How it could be exploited
An attacker could exploit this vulnerability remotely by sending a specially crafted request to an unpatched Software House C•CURE 9000 system. The attack requires user interaction (such as clicking a link) but does not require valid credentials to gain administrative access to the system.
Prerequisites
  • Network access to Software House C•CURE 9000 system over the network
  • Target system running version 2.80 or earlier
  • User interaction (e.g., clicking a malicious link) may be required
Remotely exploitableNo authentication required for exploitationLow attack complexityHigh CVSS score (8.8)Affects access control and security systemsNo patch currently available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Software House C●CURE 9000: <=2.80≤ 2.80No fix yet
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate Software House C•CURE 9000 system from the internet and from business networks using a firewall
HARDENINGRestrict network access to Software House C•CURE 9000 to only authorized administrative workstations and engineering networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Software House C•CURE 9000 to version 2.90 or later
Long-term hardening
0/1
HARDENINGIf remote access to Software House C•CURE 9000 is required, implement VPN access with current patches applied
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/248ec03a-736f-4efc-8ba3-c24bf25e0b9c
Johnson Controls Inc. Software House C●CURE 9000 | CVSS 8.8 - OTPulse