Posts Page - CloudCentric

Johnson Controls exacqVision Web Service

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 5.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls, Inc.
Equipment: Web Service
Vulnerability: Use of GET Request Method With Sensitive Query Strings

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls exacqVision Web Service are affected:

exacqVision Web Service: Versions 24.03 and prior

3.2 Vulnerability Overview

3.2.1 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598

Under certain circumstances exacqVision Web Service versions 24.03 and prior can expose authentication token details within communications.

CVE-2024-32931 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users update exacqVision Web Service to version 24.06

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-19.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 01, 2024: Initial Publication

Vonets WiFi Bridges

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Vonets
Equipment: VAR1200-H, VAR1200-L, VAR600-H, VAP11AC, VAP11G-500S, VBG1200, VAP11S-5G, VAP11S, VAR11N-300, VAP11G-300, VAP11N-300, VAP11G, VAP11G-500, VBG1200, VAP11AC, VGA-1000
Vulnerabilities: Use of Hard-coded Credentials, Improper Access Control, Path Traversal, Command Injection, Improper Check or Handling of Exceptional Conditions, Stack Based Buffer Overflow, Direct Request

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, cause a denial-of-service condition, or execute arbitrary code on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

At least the following Vonets products are affected:

VAR1200-H: Versions 3.3.23.6.9 and prior
VAR1200-L: Versions 3.3.23.6.9 and prior
VAR600-H: Versions 3.3.23.6.9 and prior
VAP11AC: Versions 3.3.23.6.9 and prior
VAP11G-500S: Versions 3.3.23.6.9 and prior
VBG1200: Versions 3.3.23.6.9 and prior
VAP11S-5G: Versions 3.3.23.6.9 and prior
VAP11S: Versions 3.3.23.6.9 and prior
VAR11N-300: Versions 3.3.23.6.9 and prior
VAP11G-300: Versions 3.3.23.6.9 and prior
VAP11N-300: Versions 3.3.23.6.9 and prior
VAP11G: Versions 3.3.23.6.9 and prior
VAP11G-500: Versions 3.3.23.6.9 and prior
VBG1200: Versions 3.3.23.6.9 and prior
VAP11AC: Versions 3.3.23.6.9 and prior
VGA-1000: Versions 3.3.23.6.9 and prior

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

Use of Hard-coded Credentials vulnerability affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication using hard-coded administrator credentials. These accounts cannot be disabled.

CVE-2024-41161 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41161. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER ACCESS CONTROL CWE-284

Improper Access Control vulnerability affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication and factory reset the device via unprotected goform endpoints.

CVE-2024-29082 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-29082. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘Path Traversal’) CWE-22

A Directory Traversal vulnerability affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to read arbitrary files and bypass authentication.

CVE-2024-41936 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41936. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Multiple OS Command Injection vulnerabilities affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters software versions 3.3.23.6.9 and prior, enable an authenticated remote attacker to execute arbitrary OS commands via various endpoint parameters.

CVE-2024-37023 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37023. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.5 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703

Improper Check or Handling of Exceptional Conditions vulnerability affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters software versions 3.3.23.6.9 and prior, enable an unauthenticated remote attacker to cause a Denial-of-Service (DoS). A specially-crafted HTTP request to preauthentication resources can crash the service.

CVE-2024-39815 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39815. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 STACK BASED BUFFER OVERFLOW CWE-121

Stack-Based Buffer Overflow vulnerabilities affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters, software versions 3.3.23.6.9 and prior, enable an unauthenticated remote attacker to execute arbitrary code.

CVE-2024-39791 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39791. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.7 DIRECT REQUEST (‘FORCED BROWSING’) CWE-425

An Improper Authentication vulnerability affecting Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters software versions 3.3.23.6.9 and prior enables an unauthenticated remote attacker to bypass authentication via a specially crafted direct request when another user has an active session.

CVE-2024-42001 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-42001. A base score of 6.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Wodzen reported these vulnerabilities to CISA.

4. MITIGATIONS

Vonets has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected products are encouraged to contact Vonets support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities have been reported to CISA at this time.

5. UPDATE HISTORY

August 1, 2024: Initial Publication

Johnson Controls exacqVision Web Service

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: exacqVision Web Service
Vulnerability: Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform state-changing operations with administrative privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls exacqVision Web Service are affected:

exacqVision Web Service: Versions 24.03 and prior

3.2 Vulnerability Overview

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

In Johnson Controls exacqVision Web Service versions 24.03 and prior, an attacker may be able to perform state-changing operations with administrative privileges.

CVE-2024-32863 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users update exacqVision Web Service to version 24.06.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-16.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

August 01, 2024: Initial Publication

Johnson Controls exacqVision Server Web Service

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.6
ATTENTION: Exploitable remotely
Vendor: Johnson Controls Inc.
Equipment: exacqVision Web Service
Vulnerability: Permissive Cross-domain Policy with Untrusted Domains

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send an unauthorized request or access data from an untrusted domain.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of exacqVision Web Service are affected:

exacqVision Web Service: 22.12.1.0

3.2 Vulnerability Overview

3.2.1 Permissive Cross-domain Policy with Untrusted Domains CWE-942

Under certain circumstances the exacqVision web service does not provide sufficient protection from untrusted domains.

CVE-2024-32862 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-32862 . A base score of 7.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

3.4 RESEARCHER

Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users update exacqVision Web Service to version 24.06.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-15

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

August 1, 2024: Initial Publication

Johnson Controls exacqVision Web Service

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.4
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: exacqVision Server
Vulnerability: Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform a man-in-the-middle attack and intercept communications.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls exacqVision Server are affected:

exacqVision Server: Versions 24.03 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295

Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.

CVE-2024-32865 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users update exacqVision Client and exacqVision Server to version 24.06

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-18.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

August 01, 2024: Initial Publication

Johnson Controls exacqVision Web Service

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.4
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: exacqVision Web Service
Vulnerability: Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform a man-in-the-middle attack and gain access to sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls exacqVision Web Service are affected:

exacqVision Web Service: Versions 24.03 and prior

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Under certain circumstances, Johnson Controls exacqVision Web Service versions 24.03 and prior, will not enforce secure web communications (HTTPS).

CVE-2024-32864 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends that users update exacqVision Web Service to version 24.06.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-17.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

August 01, 2024: Initial Publication

AVTECH IP Camera

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: AVTECH SECURITY Corporation
Equipment: IP camera
Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following AVTECH IP camera was identified as being affected; it is suspected that prior versions of other IP cameras and NVR (network video recorder) products are also affected:

AVM1203: firmware version FullImg-1023-1007-1011-1009 and prior

3.2 Vulnerability Overview

3.2.1 COMMAND INJECTION CWE-77

Commands can be injected over the network and executed without authentication.

CVE-2024-7029 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7029. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Financial Services, Healthcare and Public Health, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA.
An anonymous third-party organization confirmed Akamai’s report and identified specific affected products and firmware versions.

4. MITIGATIONS

AVTECH SECURITY Corporation has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact AVTECH for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

August 1, 2024: Initial Publication

Johnson Controls exacqVision Client and exacqVision Server

Written by on August 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.0
ATTENTION: Exploitable remotely
Vendor: Johnson Controls Inc.
Equipment: exacqVision Client, exacqVision Server key
Vulnerability: Inadequate Encryption Strength

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to be able to decrypt communications between exacqVision Server and exacqVision Client due to insufficient key length and exchange.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of exacqVision client and exacqVision server are affected:

exacqVision client: All versions
exacqVision server: All versions

3.2 Vulnerability Overview

3.2.1 Inadequate Encryption Strength CWE-326

Under certain circumstances the communications between exacqVision Server and exacqVision Client will use insufficient key length and exchange

CVE-2024-32758 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32758. A base score of 9.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: : Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends user to update exacqVision Client and exacqVision Server to version 24.06

Follow the guidance provided in the exacqVision Hardening Guide under the Password Strengthening section.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-14