Johnson Controls’ Illustra Essentials Gen 4 IP cameras have a critical vulnerability related to password storage, identified as CVE-2024-32756. This issue, which affects versions up to Illustra.Ess4.01.02.10.5982, allows authenticated users to recover Linux user credentials because the passwords are stored in a recoverable format. This vulnerability has a CVSS v3.1 base score of 6.8, indicating a significant risk of unauthorized access due to improper handling of sensitive information.
The affected cameras are used in various sectors, including critical manufacturing, commercial facilities, government facilities, transportation systems, and energy. As such, this vulnerability could have widespread implications if exploited, potentially allowing attackers to gain access to sensitive data across different infrastructure areas. The exposure is due to the flawed implementation in the camera’s firmware, which does not securely manage stored credentials.
To mitigate this risk, Johnson Controls recommends upgrading to the latest firmware version, Illustra.Ess4.01.02.13.6953. This update addresses the vulnerability and provides improved security measures to protect user credentials. Users are advised to follow Johnson Controls’ product security advisory for detailed instructions and ensure that their devices are updated to minimize the risk of exploitation.
CISA also advises organizations to implement defensive measures such as minimizing network exposure and using secure remote access methods like VPNs. They stress the importance of conducting impact analyses and risk assessments before deploying defensive strategies. For further information and best practices on improving industrial control systems cybersecurity, organizations can refer to CISA’s resources and security advisories available on their website.
