PatchSiren cyber security CVE debrief

CVE-2024-32753 Johnson Controls CVE debrief

CVE-2024-32753 is a medium-severity vulnerability affecting Johnson Controls Illustra Pro Gen 4 cameras. The vulnerability stems from the use of jQuery versions prior to 3.5.0, a third-party component with known security weaknesses. Under certain circumstances, the camera may be susceptible to these known jQuery vulnerabilities. The issue was published on July 9, 2024, with a CVSS 3.1 score of 6.9 (Medium). The affected product is the Johnson Controls Illustra Pro Gen 4 Camera running firmware version SS016.05.03.01.0010 or earlier. Johnson Controls has released a patched firmware version SS016.24.03.00.0007 to address this vulnerability. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no indication of known ransomware campaign use. The vulnerability is classified as a third-party component vulnerability, specifically related to outdated jQuery libraries that may contain cross-site scripting (XSS) and other client-side security issues.

Vendor: Johnson Controls
Product: Illustra Pro Gen 4 Camera
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-07-09
Original CVE updated: 2024-07-09
Advisory published: 2024-07-09
Advisory updated: 2024-07-09

Who should care

Organizations deploying Johnson Controls Illustra Pro Gen 4 cameras for physical security and surveillance operations should prioritize this update. Security teams responsible for building automation systems, facility management, and OT/ICS environments need to assess their camera deployments. System integrators and managed security service providers supporting Johnson Controls video surveillance infrastructure should verify client patch status. Organizations subject to physical security compliance requirements or those with critical infrastructure protection obligations should ensure timely remediation.

Technical summary

The Johnson Controls Illustra Pro Gen 4 Camera utilizes jQuery versions prior to 3.5.0, exposing the device to known vulnerabilities present in these older library versions. jQuery versions before 3.5.0 contain multiple security issues, including cross-site scripting (XSS) vulnerabilities such as CVE-2020-11022 and CVE-2020-11023, which allow attackers to inject malicious scripts through untrusted HTML content. The camera's web interface or administrative functionality likely incorporates this vulnerable jQuery component, creating a potential attack vector when processing untrusted input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N) indicates network attack vector with high attack complexity, requiring user interaction, with scope change allowing impacts to extend beyond the vulnerable component. Successful exploitation could result in high confidentiality impact and low integrity impact, with no availability impact. The chained scope (S:C) suggests that a vulnerable component can affect resources beyond its security scope, typical of XSS scenarios where client-side scripts can access sensitive session data or perform actions on behalf of authenticated users.

Defensive priority

medium

Recommended defensive actions

Update Illustra Pro Gen 4 camera firmware to version SS016.24.03.00.0007 or later per Johnson Controls Product Security Advisory JCI-PSA-2024-05 v1
Apply network segmentation to isolate affected camera systems from untrusted networks
Monitor for anomalous network activity targeting camera management interfaces
Review and implement CISA ICS recommended practices for building automation system security
Validate that third-party component inventories are maintained and monitored for known vulnerabilities

Evidence notes

Vulnerability confirmed via CISA CSAF advisory ICSA-24-191-03. Affected product version explicitly stated as <=SS016.05.03.01.0010. Remediation version SS016.24.03.00.0007 confirmed in vendor mitigation guidance. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N yields score 6.9 per FIRST CVSS calculator reference.

Official resources

2024-07-09