The latest ICS advisory from Johnson Controls highlights a critical vulnerability in the Illustra Essentials Gen 4 IP camera series, identified by CVE-2024-32755. This vulnerability, assigned a CVSS v3.1 base score of 9.1, results from improper input validation within the device’s web interface. The flaw allows an attacker to input unexpected characters, potentially leading to command injection and severe security breaches. The vulnerability affects all versions of Illustra Essentials Gen 4 up to Illustra.Ess4.01.02.10.5982.
Johnson Controls has recommended an urgent update to address this issue. Users are advised to upgrade their cameras to version Illustra.Ess4.01.02.13.6953, which contains fixes for the identified vulnerability. The company has provided detailed mitigation instructions in its Product Security Advisory JCI-PSA-2024-09 v1, available on their website. This update is crucial for maintaining the security and integrity of the affected devices.
In addition to the vendor’s recommendations, the Cybersecurity and Infrastructure Security Agency (CISA) has suggested several defensive measures to mitigate the risk of exploitation. These include minimizing network exposure for control system devices, placing these systems behind firewalls, and using secure remote access methods such as updated Virtual Private Networks (VPNs). CISA emphasizes the importance of performing impact analysis and risk assessments before deploying these defensive measures.
CISA also offers additional resources and best practices for industrial control systems security on their website. While no known public exploitation of this vulnerability has been reported yet, organizations are encouraged to remain vigilant. They should follow established internal procedures to report any suspected malicious activity to CISA for tracking and correlation with other incidents.
