Johnson Controls’ Illustra Essentials Gen 4 IP cameras have been identified with a significant vulnerability related to password storage. The issue, labeled as CVE-2024-32932, involves storing passwords in a recoverable format, which could potentially allow an authenticated user to access other users’ credentials. This vulnerability has been rated with a CVSS v3.1 base score of 6.8, indicating a moderate to high risk of exploitation.
The affected product versions include Illustra Essentials Gen 4 cameras up to version Illustra.Ess4.01.02.10.5982. The flaw is categorized under CWE-257, which pertains to improper password storage practices. The issue could lead to unauthorized recovery of user credentials through the web interface, posing a risk to sensitive information stored within the system. Johnson Controls has recommended upgrading to version Illustra.Ess4.01.02.13.6953 to address this issue.
Johnson Controls has advised users to take immediate action by updating their systems to the latest version to mitigate the risk associated with this vulnerability. The company also emphasizes the importance of securing building automation systems and maintaining proper security practices. Additional guidance and updates can be found on the Johnson Controls product security website and in their Product Security Advisory JCI-PSA-2024-08.
CISA has outlined defensive measures to minimize the risk of exploitation, such as reducing network exposure, using firewalls, and employing secure remote access methods like VPNs. Organizations are encouraged to implement cybersecurity strategies and perform risk assessments before deploying defensive measures. While no known public exploitation of this vulnerability has been reported, organizations should remain vigilant and report any suspicious activity to CISA for tracking and correlation.
