Johnson Controls Inc. Software House C●CURE 9000 (Update B)

Monitor7.8ICS-CERT ICSA-24-191-05Jul 9, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Software House C·CURE 9000 Site Server versions 2.80 and earlier contain a file permissions vulnerability in the CouchDB directory. The CouchDB\bin folder is readable by non-administrator local accounts, exposing stored credentials used by the application. An attacker with local account access can read these credentials and gain unauthorized access to building automation and access control functions. This is a local privilege escalation vulnerability (CWE-276: Incorrect Default Permissions).

What this means

What could happen

An attacker with local account access to the Site Server could exploit improper file permissions to extract stored credentials, potentially gaining access to building automation functions across the system.

Who's at risk

Building automation operators and facilities managers using Johnson Controls Software House C·CURE 9000 should assess this risk. This affects access control systems, HVAC management, and building security infrastructure managed by the Site Server. Any facility with non-administrator user accounts on the Site Server is at risk.

How it could be exploited

An attacker with a non-administrator local account on the Site Server can read sensitive credential files in the CouchDB directory due to overly permissive file system permissions. The attacker then uses these credentials to access the C·CURE 9000 application and modify building automation settings or access controls.

Prerequisites

Local account access to the Site Server (non-administrator)
File system access to C:\CouchDB\bin directory
Software House C·CURE 9000 version 2.80 or earlier deployed

Local privilege escalationNo authentication required (already local)Low complexity exploitNo patch available (EOL product)Affects building access control and automation systemsCredential theft enables lateral movement

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Software House C●CURE 9000 Site Server: <=2.80≤ 2.80No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImmediately remove Full Control and Write permissions from C:\CouchDB\bin directory for all non-administrator accounts

HARDENINGConfigure file permissions on C:\CouchDB\bin to Read & Execute only for non-administrator accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict local account creation and use on Site Server systems; disable unused local accounts

Long-term hardening

0/2

HARDENINGIsolate Site Server systems from business network using firewall rules; restrict network access to Site Server to only authorized engineering workstations

HARDENINGImplement remote access via VPN only when required; avoid direct network exposure of Site Server

CVEs (1)

CVE-2024-32861

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3bf36368-3d39-4081-9aea-e56d2179dbff