PatchSiren cyber security CVE debrief
CVE-2024-32756 Johnson Controls, Inc. CVE debrief
CVE-2024-32756 is a medium-severity vulnerability (CVSS 6.8) affecting Johnson Controls Illustra Essentials Gen 4 cameras. The issue allows an authenticated user to recover Linux user credentials under certain circumstances. The vulnerability was disclosed by CISA on June 27, 2024, with an advisory update on July 2, 2024 that modified the mitigation schedule. The affected product is Illustra Essentials Gen 4 cameras running firmware version Illustra.Ess4.01.02.10.5982 or earlier. Johnson Controls has released firmware version Illustra.Ess4.01.02.13.6953 to address this vulnerability. The CVSS vector indicates network attack vector, low attack complexity, high privileges required, no user interaction, changed scope, and high confidentiality impact with no integrity or availability impact.
- Vendor
- Johnson Controls, Inc.
- Product
- Illustra Essentials Gen 4
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-27
- Original CVE updated
- 2024-07-02
- Advisory published
- 2024-06-27
- Advisory updated
- 2024-07-02
Who should care
Organizations deploying Johnson Controls Illustra Essentials Gen 4 cameras in physical security and surveillance environments, particularly those in critical infrastructure sectors. Security teams responsible for IoT/OT device management and firmware maintenance should prioritize patching.
Technical summary
The vulnerability exists in the Linux-based firmware of Illustra Essentials Gen 4 cameras. An authenticated attacker can, under certain conditions, recover Linux user credentials. This represents a confidentiality breach with potential for further system compromise. The attack requires network access and authenticated privileges but does not require user interaction. The scope change in the CVSS vector indicates the vulnerable component impacts resources beyond its security scope.
Defensive priority
medium
Recommended defensive actions
- Upgrade affected Illustra Essentials Gen 4 cameras to firmware version Illustra.Ess4.01.02.13.6953 or later
- Review Johnson Controls Product Security Advisory JCI-PSA-2024-07 v1 for detailed mitigation instructions
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Monitor Johnson Controls product security website for additional security notices
- Follow established internal incident response procedures and report suspected malicious activity to CISA
Evidence notes
Vulnerability disclosed in CISA advisory ICSA-24-179-05 on June 27, 2024. Advisory updated July 2, 2024 with changes to mitigation schedule. Affected product confirmed as Illustra Essentials Gen 4 with firmware <=Illustra.Ess4.01.02.10.5982. Remediation firmware Illustra.Ess4.01.02.13.6953 available.
Official resources
-
CVE-2024-32756 CVE record
CVE.org
-
CVE-2024-32756 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-27