Johnson Controls Inc. will not fix a missing authentication for critical function vulnerability in its Software House iStar Pro Door Controller, ICU, because it is at end of life, according to a report with CISA.

Successful exploitation of this remotely exploitable vulnerability, discovered by Reid Wightman of Dragos, may allow an attacker to perform a machine-in-the-middle attack to inject commands which change configuration or initiate manual door control commands.

Johnson Controls reports the following products suffer from the issue:
— Software House iStar Pro Door Controller: All versions
— ICU: Version and prior

In the vulnerability, under certain circumstances, communication between the ICU tool and an iStar Pro door controller is susceptible to machine-in-the-middle attacks which could impact door control and configuration.

CVE-2024-32752 is the case number for the vulnerability, which has a CVSS v3.1 base score of 9.1. There is also a CVSS v4 base score of 8.8.

Schneider Bold

The product sees use mainly in the critical manufacturing sector, and on a global basis.

No known exploits target this vulnerability. However, an attacker could leverage this low complexity vulnerability.

In terms of mitigations, the iSTAR Pro controller reached its end-of-support period and no further firmware updates will be provided. However, the iSTAR Pro has a physical dip switch located on its GCM board, labeled S4, that can end up configured to block out communications to the ICU tool. Consult the iSTAR Pro Installation and Configuration Guide for more details on how to set the dip switch to mitigate this vulnerability.

For more detailed mitigation instructions, click on Johnson Controls Product Security Advisory JCI-PSA-2024-06 v1.

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA provides a section for control systems security recommended practices on the ICS web page on Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with defense-in-depth strategies.

Further ICS security notices and product security guidance are on Johnson Controls product security website.


Pin It on Pinterest

Share This