Johnson Controls’ Software House C●CURE 9000, specifically the Site Server versions 3.00.3 and prior, has been identified with a high-severity vulnerability classified as CVE-2024-32861. This vulnerability stems from incorrect default permissions, which could potentially allow an attacker to gain unauthorized access to critical directories containing executable files. With a CVSS v4 score of 8.5, this issue poses a significant risk, particularly due to its low attack complexity and remote exploitability.
The flaw affects various critical infrastructure sectors, including critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sectors, globally. The issue allows attackers to exploit default permissions, potentially compromising sensitive credentials and the overall security of the application. Johnson Controls, headquartered in Ireland, has addressed the problem in its latest advisory, recommending users to upgrade to the fixed version of the Software House C●CURE 9000 Site Server.
To mitigate the risk, Johnson Controls advises removing write permissions from the C:\CouchDB\bin folder for non-administrative users. Detailed mitigation steps are outlined in their Product Security Advisory JCI-PSA-2024-11 v1. Alongside this, CISA recommends broader defensive measures, including reducing network exposure, using secure remote access methods like updated VPNs, and performing a thorough impact analysis before implementing defensive strategies.
CISA has not yet reported any specific public exploitation of this vulnerability, though it emphasizes the importance of proactive cybersecurity measures. Organizations are encouraged to consult CISA’s resources for improving industrial control systems cybersecurity and to follow recommended practices for effective defense against potential attacks. This proactive approach is crucial for maintaining the integrity and security of control systems affected by this vulnerability.