CVE-2024-0912 Johnson Controls CVE debrief

Who should care

Organizations operating Johnson Controls Software House C●CURE 9000 physical access control systems, particularly those with web server interfaces exposed to administrative users. Security teams responsible for OT/ICS environments, building automation systems, and credential management programs should prioritize assessment and remediation.

Technical summary

The C●CURE 9000 Web Server, hosted on Microsoft IIS, can log Windows credential details to local log files under certain conditions. This information disclosure occurs in the api.log file located at C:/Program Files (x86)/Tyco/victorWebServices/victorWebsite/Logs. The vulnerability requires local access and high privileges to exploit, but successful exploitation yields high impact to confidentiality and integrity with some availability impact. Non-web service interfaces and prior product versions are explicitly noted as unaffected.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor fix: Update Software House C●CURE 9000 to version 3.00.2 CU02 or 3.00.3.
• Rotate credentials: Change passwords for any Windows accounts whose credentials may have been logged.
• Sanitize logs: Delete the api.log file or manually remove password instances from C:/Program Files (x86)/Tyco/victorWebServices/victorWebsite/Logs.
• Review Johnson Controls Product Security Advisory JCI-PSA-2024-04 v1 for detailed mitigation guidance.
• Implement CISA ICS recommended practices for network segmentation and defense-in-depth for building automation systems.

Evidence notes

The vulnerability description and remediation guidance are derived from CISA CSAF advisory ICSA-24-135-03. Affected product version (3.00.2) and fixed versions (3.00.2 CU02, 3.00.3) are explicitly listed in the CSAF remediations section. CVSS vector AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L confirms local attack vector with high privileges required.

Official resources