Johnson Controls Inc. has a series of recommendations to handle an incorrect default permissions vulnerability in its Software House C●CURE 9000, according to a report with CISA.

Successful exploitation of this remotely exploitable vulnerability, discovered by Reid Wightman of Dragos, may allow an attacker to access credentials used for access to the application.

The following Johnson Controls products suffer from the issue: Software House C●CURE 9000 Site Server, version 3.00.3 and prior.

In the vulnerability, under certain circumstances the Software House C●CURE 9000 Site Server provides insufficient protection of directories containing executables.

CVE-2024-32861 is the case number for the vulnerability, which has a CVSS v3.1 base score of 8.8. There is also a CVSS v4 base score of 7.7.

Schneider Bold

The product sees use in the critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sector. It also sees action on a global basis.

No known exploit targets this vulnerability. However, an attacker could leverage this low complexity vulnerability.

In terms of mitigations, Johnson Controls recommends the following:

  • Remove write permissions from C:\CouchDB\bin folder within Software House C●CURE 9000 Site Server for non-administrators
  • For more detailed mitigation instructions, click on Johnson Controls Product Security Advisory JCI-PSA-2024-11 v1 
  • Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

Pin It on Pinterest

Share This